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1 Introduction 



This paper is about a state transition model for communication protocols. 

The protocols governing data communication in computer systems are becoming ever 
more complex, and therefore more difficult to design, understand and analyze. This leads 
a number of researchers to advocate the use of formal methods for description and analysis 
of protocols |TMllFlo2] . 

State transition models are often used to describe formally (certain aspects of) commu- 
nication protocols. This paper is concerned with a state transition model in which stations 
(modelled by finite state machines) communicate by exchanging messages, which are sub- 
jected to unpredictable and unbounded delays. (Thus transitions in the finite state machines 
are loosely coupled, in contrast to the directly coupled transitions of |Bo2j .) The communi- 
cation channels function as potentially unbounded FIFO queues. 

An attractive feature of state transition models is that various general properties (called 
"syntactic properties" in |Zatp can be automatically verified if the queues (channels) are 
bounded. On the other hand, Brand and Zafiropulo |Bra| show that the verification of the 
same properties cannot be automated for general collections of communicating finite state 
machines connected by unbounded queues. 

This paper investigates the question of decidability (algorithm existence) in some detail, 
and concentrates on a class of communicating finite state machines in which certain general 
properties are algorithmically decidable, although the queues are not necessarily bounded. 
(Thus our goal is similar to that of Bra , but our methods and results are different.) The 
technique proposed in this paper is the third stage in the following hierarchy of formalisms 
for protocol description. (All three stages will be exemplified in the next section.) 

• The list of all interactions. 

• Communicating finite state machines (CFSM). 

• CFSM augmented with channel expressions. 

The paper is organized as follows: Section 2, which is a continuation of this introduc- 
tion, contains several examples. In section 3, where the formalism begins, communicating 
finite state machines (CFSM) are defined. Section 4 lists various properties that can be 
defined in the CFSM model. Section 5 introduces two basic techniques for analyzing CFSM 
protocols, the exhaustive reachability analysis and abstract flow control. Section 6 shows 
that certain properties of SR-machines are decidable, although they are seemingly similar 
to the properties proved undecidable in section 7. In section 7 we shall see that most of the 
interesting properties in the CFSM model are undecidable (cf. |Braj ) . For example, there 
is no algorithm to decide whether a protocol is deadlock-free. 
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It is then natural to ask: When can we prove that a protocol is deadlock-free? A simple 
proof formalism is offered and investigated in sections 8, 9 and 10. Its virtue is its simplicity, 
which allows straightforward automatic proof checking. Not every deadlock-free protocol 
can be proved to be deadlock-free in the formalisms (nor in any other formalism, in view of 
the undecidability result) , but the method applies to the protocols that "use their channels 
in a simple manner" . Section 8 presents a simple version of the formalism, applicable to the 
protocols consisting of finite state machines arranged in a circle. A more general theory is 
presented in section 9. Section 10 generalizes the results of section 5 about abstract flow 
control, and concludes with several decidability results. 

2 Introductory examples 

This section presents three examples to illustrate the three methods of protocol description 
listed in the introduction. 

2.1 Description by listing all interactions 

A simple access authorization protocol (adapted from |Zafj . p. 652), allowing only two 
interactions (communication histories), is depicted in Fig. 2.1(a) and Fig. 2.1(b). 

The description method is straightforward and easy to understand, and a simple match- 
ing algorithm will discover deadlocks, unspecified receptions etc. However, the protocols 
that allow infinitely many (or a very large number of) communication histories cannot be 
completely described. 

2.2 Description by communicating finite state machines 

Stations (processes) are represented by finite state machines whose transitions correspond 
to transmissions and receptions of messages. E.g. the protocol of Fig. 2.1 can be described 
as shown in Fig. 2.2 (cf. Fig. 1 in |Zaf) ). 

Since the finite state machines can contain cycles, some protocols that allow infinitely 
many message sequences can be described this way. Deadlock-freedom and other general 
properties are algorithmically verifiable, provided there is an upper bound on the number 
of messages that can be simultaneously in transit. This finiteness condition, which is far 
weaker than the one in 2.1, is further substantially relaxed in 2.3 below, at the cost of 
making the description more elaborate. 
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Process 



Process 1 



ACCESS_REQUEST 



GRANTED .ACCESS 



RELINQUISHED _ACCESS 



Fig. 2.1(a). 



Process 



Process 1 



ACCESS JIEQUEST 



REFUSEDJCCESS 



Fig. 2.1(b). 
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SEND 
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SEND 
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Fig. 2.2. 
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2.3 Communicating finite state machines augmented by channel 
expressions 

This is an extension of the model in 2.2. The protocol designer is required to provide not 
only the finite state machines representing the processes, but also a complete description of 
channel content for each combination of states. In this paper we consider such a model, in 
which the channel content is described by rational expressions. 

Example. A simple alternating-bit protocol for transmission over unreliable channels 
can be described as in Fig. 2.3. There are six message types used in the protocol: 



EV 


even data packet 




OD 


odd data packet 




ED 


end of data 




EVA 


acknowledgement of 


EV 


DDA 


acknowledgement of 


OD 


EDA 


acknowledgement of 


ED 



Receptions are denoted by + and transmissions by — . Following the suggestion in |Zaf| . we 
describe the unreliable channels by two additional finite state machines, depicted in Fig. 
2.4. We think of all errors on the channel as being concentrated in one place, under the 
control of a demon. The rest of the channel then functions as a perfect FIFO queue. 

Fig. 2.4 makes precise what we mean by an unreliable channel: The demon retransmits 
some of the messages it receives, and ignores (deletes) others. 

The complete model now consists of four finite state machines connected by four channels, 
as in Fig. 2.5. 

Since Process can repeatedly send the message EV, OD or ED, there is no upper bound 
on the number of messages that can be simultaneously in transit. Thus the description 
developed so far, although completely specifying all interactions, does not easily submit to 
analysis. We will aid the analysis by describing all the channel contents that can occur for 
each combination of states. Since the model has four state machines with four states each, 
the additional information will be in the form of a table with 4x4x4x4 = 256 entries (one 
for each state combination) , each entry being the set of all channel contents that can coexist 
with the state combination. As the model has four channels, a set of channel contents is a 
4-ary relation. All 256 relations in this example are rational, i.e. they can be described by 
rational expressions. Fig. 2.6 lists four of the 256 relations in question, namely those for the 
state combinations 00/10/20/30, 01/10/20/30, 02/10/20/30 and 03/10/20/30. In fact, it is 
sufficient to specify these four entries; the remaining 252 can be automatically computed. 

In Fig. 2.6, ED a is the symbol ED in the channel a, ED^ is the symbol ED in the 
channel (3, etc. By using the subscripts we make the channel alphabets disjoint, and avoid 
ambiguity in the channel expressions. 
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Process 



start 




+FDA -ED 

+EVA 
+ODA 



Process 1 



start 




Fig. 2.3. A simple alternating-bit protocol. 
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Demon 2 



Demon 3 




Fig. 2.4. Unreliable channels modelled by demons. 
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Fig. 2.5. The communication graph. 



Composite state 


Channel contents 


00/10/20/30 


( ED; EV* a ED* U ET a ED* EV* ) EDA; EDA* U 

ev*, ev^ ( eda; eva; eda*- u eva; eda* eva*- ) u 
( od; ev; od^ u ev; od^ ev^ ) oda; oda* u 
ev*, ev* ( oda; eva; oda*- u eva; oda*- eva*- ) 


01/10/20/30 


( ev*, od; ev^ u od; evj odj ) eva; EVA* u 
od; od* ( eva; oda; eva*- u oda; eva*. oda*- ) 


02/10/20/30 


( ey* a ed*, ev£ u ed* ev^ ed^ ) eva; eva* u 
ed*, ed^ ( eva; eda; eva*- u eda; eva* eda*; ) u 
( od*, ed*, od* u ed* od* ed* ) oda; oda* u 
ed* ed^ ( oda; eda; oda*- u eda; oda*. eda*- ) 


03/10/20/30 


ed; ed*, eda; eda* 



Fig. 2.6. Rational expressions for channel contents. 
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3 Communicating finite state machines 



The present paper treats communicating finite state machines as mathematical objects. 
They are formally defined in this section. The formalism is fairly close to that in jfjra| . 

A directed graph is a pair G — (N, E) where N and E are two sets (the set of nodes 
and the set of edges), together with two maps, denoted £ i— > — £ and £ i— > +£, from E to N. 
We say that — £ is the tail and +£ the head of the edge £; when i = — £ and j = +£, we 
sometimes write i — ► j. We say that G is finite if both TV and _E are finite. 

A protocol (or, more explicitly, a CFSM protocol) P consists of a finite directed graph 
G = (N,E) (the communication graph of P), a collection of pairwise disjoint finite sets 
indexed by £ £ E, and a collection of finite state machines Fj indexed by j £ N. Each Fj 
operates over the alphabet 

={+b \ 6eM c , j = +£ } U { -b | 6eM e , j = -Z } . 

Specifically, Fj — (Kj,T,j,Tj,hj) where Kj is the finite set of states, hj £Kj is the initial 
(or home) state, and Tj C ifj x x is the set of transitions. 

We write p A g in f} (or simply p A g ; if no misunderstanding is possible) when 
ij?i e i a ) 62}. (Here e = —6 or e = +6, for some £ and fog A^f.) The transition diagram of 
Fj is the labelled directed graph with nodes Kj and labelled edges p A q for (p, e, q)£Tj. 

Write p ^ q, for i«6E*, if there is a directed path from p to g, in the transition diagram 
of Fj , such that the labels on the edges of the path form the string w (in the order from p to 
q) . Sometimes we write p A instead of u p A q for some q" , and similarly p A for mjgE*. 

The model corresponds to reality in this way: The graph G describes the protocol con- 
figuration (the edges are unidirectional communication channels) ; we say that the machines 
Fj in P communicate according to G. The set M% is the set of messages that can be sent 
along the channel £ (in practice these sets need not be disjoint, but the assumption that 
they are causes no loss generality and is technically useful). The machine Fj represents a 
process located at j £ N and capable of sending messages to the channels £ such that j = — £ 
and of receiving messages from the channels £ such that j = +£. Message transmissions 
and receptions match transitions in the state machines: p A q in Fj means b£M^ received, 
and p — > q in Fj means b £ sent (at j £ N along £eE). 

In the sequel we shall have an opportunity to deal with CFSM protocols of a special 
form, the SR-machines of Gouda |Gou| : 

A state p £ Kj is a send state if p A 6 for no b; similarly p is a receive state if p — > for 
no b. Say that Fj is an SR-machine if 

(a) Kj has only send and receive states, 

(b) the transition diagram of Fj is strongly connected, and 

(c) if p A q 1 and p A q 2 in Fj then q\ = q 2 . 
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A pair of communicating SR-machines is a protocol with two SR-machines Fq and F\ 

a 

communicating according to the graph (i- c - N = {0; 1}) E = { a > ft}, ~ a = +ft = 

and +a = —ft = 1 ). 

Other variations of communicating finite state machines have been employed to describe 
and analyze communication protocols, but the differences between them are not essential 
in the present context. The popularity of the model stems from the fact that, while being 
simple and abstract, it is rich enough to embrace some general communication properties 
(sometimes called syntactic properties) . Several such properties are enumerated in the next 
section. They are all defined in terms of the global state space, which we now proceed to 
describe. 

In our basic model, we assume that the channels function as perfect FIFO queues. That 
is, they are error- free (imperfect channels are modelled indirectly, by demons), and in each 
channel messages are received in the same order as sent. We place no a priori bound on 
the queue lengths; the intention is to model unpredictable and unbounded communication 
delays. 

Let P be a CFSM protocol, with the notation as above. A composite state of P is a 
vector S = (pj : j G N) of states pj EKj. A channel content (or "composite channel state" ) 
is a vector C — (x% : £&E) of strings eM| (each x^ is a string over the alphabet M{). A 
global state is a pair (S, C) where S is a composite state and C is a channel content. The 
initial global state is (S° , C°) where S° = (hj : j &N) and C° = (x^ : £&E) with each 
being the empty string A. 

Our aim is to define a labelled directed graph whose nodes will be global states of P 
and which will have two kinds of labelled edges (write S = (pj : j £ N) , S' = (qj : jeN), 
C=(x t :£eE),C' = (y 6 :^E)): 

(1) (Receive from channel ft) 

(S,C) P (S',C) 

if there are i and ft with i = +ft, such that pj = qj for j ^ i, pi i+ q i in Fi, = for 
£ ^ ft, and xp = hyp. 

(2) (Send to channel ft) 

(S,C) h (S',C) 

if there are i and ft with i = —ft, such that pj = qj for j ^ i, pi — > ^ in Fi, = y^ for 
£ ^ ft, and y p = x f3 b. 

+b -b 

Write (S, C) \- (S', C) if (S, C) \- (S', C) or (S, C) \- (S 1 , C) for some b. Let {-* be 
the reflexive and transitive closure of | — . Say that a global state (S", C) is reachable from 
a global state (S, C) if (S, C) \-* (S 1 , C). 
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Say that a global state is reachable if it is reachable from (S 10 , C ). The global state space 
of the protocol P is the labelled directed graph whose nodes are all the reachable global 

+b -b 

states of P, with labelled edges | — and | — defined above. 

4 Reachability properties 

The general reachability problem, in its simplest form, is "Given a (possibly infinite) directed 
graph and two of its nodes, can one node be reached from the other along a path in the 
graph?" One may wish to construct an algorithm to answer the question; this leads to a 
decidability problem: Is there an algorithm to decide, for any given graph and two nodes, 
whether one can be reached from the other? In other words, is the reachability problem 
(algorithmically) decidable? 

Algorithms to solve two problems of this kind have been found recently, after a prolonged 
research effort: Kannan and Lipton Kan constructed an algorithm to solve Harrison's orbit 
problem, and Mayr |May| constructed an algorithm for the Petri net reachability problem. 
The CFSM model brings up another reachability problem, which is, unlike the previous 
two, undecidable (see section 7). However, it is worthwhile to investigate restrictions on the 
problem that make it decidable; this is the chief subject of the present paper. 

In fact, there is not one but a number of reachability problems in the CFSM model. The 
(possibly infinite) directed graph where they all reside is the global state space defined in 
the previous section. 

A simple reachability problem (or a reachability problem of the first order) has the form 
"Is a given global state reachable (from (S° ,C ))?" For example, the problem of finding 
stable composite states can be treated as a simple reachability problem: A composite state 

5 is called stable if (S,C°) is reachable; cf. [Zaf] . |Bra| . Since there are only finitely many 
composite states, the problem of listing all stable ones is solved by answering finitely many 
simple reachability problems. 

A global state (5, C) is said to be deadlocked if every state in S is a receive state and 
C = C°. The protocol P is deadlock-free if no deadlocked global state is reachable. The 
question whether P is deadlock-free is a special case of the stable composite state problem 
in the previous paragraph. 

However, there are other pertinent reachability problems that are not simple in this sense 
(or at least it is not immediately obvious if they are). Say that b£ Mg can arrive at the 
state p&Ki if i = +/3 and there is a reachable global state ((pj : j £ A), : £eE)) such 
that p — Pi and xg — by g for some yg £ Mg. The problem of finding all pairs (p, b) such 
that b can arrive at p ("executable receptions" in the terminology of |Brap is of the form 
"Is at least one element of a given set of global states reachable?" Let us call this a second 
order reachability problem. Of course, the set of global states in question can be described 
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in various ways; that can make the problem more or less difficult (or even decidable or 
undccidable). 

Say that a global state (S, C) is globally blocked if (S, C) | — (S' , C) for no global state 
(S' : C). (Every deadlocked global state is globally blocked but not vice versa.) 

A global state (S, C) = (S, : £ G E)) is blocked on channel (3 G E if Xp = by, b € Mg, 
y&Mp, and there are no global states (S',C) and (S",C") satisfying 

(S,C) iS',C) \- (S",C") . 

The property that no reachable global state is blocked on any channel (that is, every 
transmitted message can be eventually received) should be compared with the following 
stronger property, defined in |Bra| . The protocol is well-formed if for any p G Kj and b G Mg 
we have: b can arrive at p if and only p ^ in Fj. This means that the protocol is able to 
receive every message immediately upon arrival and, moreover, the transition diagram of Fj 
has no useless edges. 

Another example of a second order reachability property: A protocol with the commu- 

a 

nication graph <~ 1 is said to have the half- duplex property if every reachable global 

state ((pojPi)j (x a ,xp)) satisfies x a — A or xp = A. 

Finally, certain useful reachability properties are neither first nor second order. The 
protocol P has the bounded channel property if there is an upper bound on the total length 
of all strings in C, over all reachable global states (S, C). Obviously P has this property if 
and only if the global state space is finite. 

We can see that, although the CFSM model is very simple and general, it allows us 
to formulate a number of meaningful protocol properties. Moreover, the properties are all 
described in a uniform manner, as reachability properties in a certain (potentially infinite) 
graph. The next question is whether the properties can be algorithmically decided. In this 
paper we concentrate on the deadlock problem ("Is the protocol deadlock-free?"), and the 
stable composite state problem ( "Is a given composite state stable?" ) , two representatives of 
simple (first order) reachability problems. Occasionally we also note how the results apply 
to other reachability problems. 

5 Reachability analysis and abstract flow control 

When the global state space is finite, all reachability problems can be, at least in principle, 
algorithmically solved. Indeed, one can explicitly construct the global state space (as a finite 
directed graph) and search it to decide any reachability problem. We refer to this method 
as the exhaustive reachability analysis. 

The method presents a number of implementation and complexity problems, because the 
global state space tends to be very large and exhaustive search is expensive. Nevertheless, 
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the question of algorithm existence is, in the case when the global state space is finite, 
uninteresting: All problems are decidable for trivial reasons. The chief aim of this paper is 
to investigate what can be done when the global state space is not (or is not known to be) 
finite. 

The global state space has a highly redundant structure. Concurrent execution is mod- 
elled by a set of shuffles of sequential executions in the participating nodes. Thus if one 
global state is reachable from another then there are usually many paths between them. We 
can reduce the redundancy by restricting the order in which concurrent transmissions and 
receptions occur. This is the idea of the abstract flow control. Its special case was studied 
(under a different name) by Rubin and West |Rub| . 

Every path in the global state space defines "local paths" in the transition diagrams of 
the individual state machines. These will be called the images of the global path. In the 

notation of section|3| the image can be defined formally. Let Y — (S , C )| — . . . | — (Sk,Ck) 
be a path in the global state space, and let i £ N. If k = (i.e. the length of Y is 0) 
and So = (pj : j £N) then Im^(r), the image of Y in Fi, is the path of length from pi to 
Pi. If k > 0, Sfc-i = (pj : j£N) and Sk — (<Zj '■ j£N) then Imi(r) is defined in terms of 

r = (So, C )h ■ • ■ h(S k -i, Ck-x) as follows: If e k # S 4 then Im^r) = Im^F); if e k £ £* 
then Inii(r) is the concatenation of Imi(r') with the path qi ^ pi (of length 1). 

Say that two paths Y and Y' in the global state space are locally equal if Im,(r) = Inii(r') 
for each i£N. The following self-evident lemma is a basis of most that follows. 

Lemma 5.1 If two paths in the global state space are locally equal and start in the same 
global state, then they also terminate in the same global state. 

The aim of the abstract flow control, in the sense used in this paper, is to reduce the 
number of the locally equal paths that the reachability analysis must examine. Rubin and 
West |Rub| have shown how to select exactly one path in every set of locally equal paths, in 
the special case of two-party protocols and paths between global states of the form (S, C°). 
The problem can be viewed as a scheduling problem: For a given path Y in the global state 
space, the local images of Y are concurrent sequential processes which must share a single 
processor. In this terminology, the Rubin and West method uses the round-robin scheduling. 
The methods explored in this paper are based on priority scheduling. They yield particularly 
simple results when the finite state machines are arranged in a circle; to have a short name 
for such CFSM protocols, we say that a protocol is cyclic if its communication graph is a 
directed cycle. 
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Theorem 5.2 Let P be a cyclic CFSM protocol. Let T be a path in the global state space 
from a global state (S, C ) to a global state («S" , C ). // /3 is any edge in E then there exists 
a path V such that 

(a) r and V are locally equal; and 

(b) every global state (S, (x^: £,&E)) on the path V satisfies 



A more general result will be proved in section 10. 

Proof. Label the edges of the communication graph G as E = {ao, Qfi, • • • , a m } and 
assume that — ao = +a m , — ot\ = +ao, — ct2 = +cti, . . [3 = a^: 

ao 



Rearrange the execution described by T as follows: Assign the highest priority to the 
process running at the node +a m , the next highest to the process at +a m _i, etc., with the 
lowest priority at +ao- Thus a process can execute only if all processes with higher priorities 
are blocked (which means that their local images of T call for receptions and their input 
channels are empty) . Let T' be the path corresponding to the priority execution. It follows 
that at most one among the channels ot\, a2, . . ., a m is non-empty at any point along T', 
and that none can grow longer than one symbol. □ 

Theorem 15.21 fas well the more general results to come) simplifies the reachability algo- 
rithm. When looking for a deadlock, the algorithm can ignore the global states in which 
S^/3l :c ?l > 1- The following immediate corollary of Theorem 15.21 generalizes a result of 
Brand and Zafiropulo Bra . 

Corollary 5.3 The stable composite state problem is decidable in the class of all cyclic 
CFSM protocols with this property: There is an edge (3 and a constant c such that every 
reachable global state (S, (x^ : £££")) satisfies \xp\ < c. 

It follows that deadlock-freedom is also decidable in this class. 



E w ^ 1 • 
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6 Affine SR-machines 



In this section we are going to see that certain properties of a pair of communicating SR- 
machines are algorithmically decidable, although they are superficially similar to the undc- 
cidable properties that we shall encounter later on. 

Let P be a CFSM protocol consisting of two SR-machines Fq = (Kq, So, Tq, ho) and 

a 

Fi = (ili, Si, Ti, hi) communicating according to the graph T- 1 . Recall that 

5 = {-b\beM a } U {+b\b£M p } 

and 

51 = { -b | beMp } u { +b I 6eM Q } 

If w is a string in Sq or S*, denote by TT a (w) the string of all M a symbols in w, in the same 
order; thus n a erases all the symbols in w that belong to M@, and also all + and — (jr a is 
the "projection" from Sq U S* onto M*). The projection irp onto M% is defined similarly. 
For example, if d±, d 2 €M a and b%, b 2 £Mp then ir a (+dx + d 2 — b\ + di — 62 — ^2) = didzdi 
and TT l 3(+d 1 + d 2 - 61 + d\ - b 2 — b 2 ) = b]b 2 b 2 . 

The machine F defines a subset Z of M* x : 

Z = { (tTo,^),^^)) I /i ^> ft-o in F Q } . 

Similarly, 

Zi = { (^(w),^^)) I hx ^ hi in Fi } . 

Say that Fo and F\ are affine (or that the protocol P is affine) if Zo = Zi. 

Thus two SR-machines are affine if and only if for every sequence of sends and receives 
(beginning and ending in the "home state") in one machines there is a matching sequence 
in the other. However, the matching is a weak one because, intuitively, it allows a symbol 
to be received before it has been sent. 

There are interesting connections between affinity and certain desirable protocol proper- 
ties. At the same time, unlike the other properties, affinity is decidable; a minor modification 
of Bird's algorithm |Bir| establishes the following result. 

Theorem 6.1 There is an algorithm to decide whether an arbitrary pair of SR-machines 
is affine. 

Now we consider the bounded channel property for affine SR-machines. No protocol in 
which at least one machine can go through a cycle consisting of send transitions has the 
bounded channel property; the machine can repeat the sending cycle any number of times 
before the other machine begins receiving. The forthcoming theorem shows that for affine 
SR-machines the channel can grow large only if there is such a cycle. 
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Say that a state machine Fj has a send cycle if the transition diagram of Fj contains a 
directed cycle whose all labels are negative (i.e. of the form —b, bGM^, j = — £); a receive 
cycle is defined analogously. 

Lemma 6.2 Let Fq and F\ be two affine SR-machines. For j = 0, 1, let kj be the number 
of states in Fj (=the cardinality of Kj). If there is a reachable global state {(j>o,pi), {x a , A)) 
such that \x a \ > ko(k\ — 1) + 1 then F\ has a receive cycle and Fq has a send cycle. 

This yields a new automatically verifiable sufficient condition for bounded channels, 
namely affinity and absence of send cycles; cf. |Braj and |Gouj for other conditions of this 
kind. The condition is also necessary if the protocol is affine and deadlock-free: 

Theorem 6.3 Let Fo and F\ be two affine SR-machines. If the protocol is deadlock-free 
then it has the bounded channel property if and only if neither Fq nor F\ has a send cycle. 

Theorem 6.4 There is an algorithm to decide, for an arbitrary given pair of affine SR- 
machines, whether the protocol is deadlock-free and has the bounded channel property. 

Another corollary of 16. 21 to be proved later in this section, is the following: 

Theorem 6.5 There is an algorithm to decide, for an arbitrary given pair of SR-machines 
with no send cycles, whether the protocol is affine and deadlock- free. 

Now we prove the results in this section. Recall that we deal with a protocol P with 

a 

the communication graph 0<^1 and two SR-machines Fj — (Kj,Y.j,Tj,hj),j = 0, 1. The 
channel alphabets are M a and Mp. 

Proof of 16.21 Recording how the global state ((po,Pi), (x a , A)) has been reached, we 
find two strings wq&'Eq and w\ gEJ such that ho —5 po, hi — > pi, 7r Q (wo) = 7T a (wi)x a and 
"",3(^0) = Since the transition graph of Fq is strongly connected and has fco nodes, 

Po ~^ ho for some UoSEq such that |mo| < fco — 1- 

By affinity, p\ — * h\ for some u\ €SJ such that tt^wqUq) — n a (wiUi) and 'k^wqUq) = 
Trp(w\Ui). This yields 7T a (tii) = x a ir a (uo) and irp{ux) = 7r^(ito). Therefore u\ contains at 
most j wo I < ko — 1 symbols of the form —b, b£Mp. At the same time, the length of n a {u\) 
is 

ka(ui)| > \x a \ > k (ki - 1) + 1 , 

and hence u\ contains a (contiguous) subsequence v\ of length |t>i| > k\ that has no symbols 
—6, b€Mp. Since Fi has k\ states, the path corresponding to V\ contains a cycle. Hence 
Fi has a receive cycle. 

The second assertion in 16.21 now follows from the following lemma. 
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Lemma 6.6 Let Fq and F\ be two affine SR-machines. If F\ has a receive cycle then Fq 
has a send cycle. 

Proof of 16.61 Again let kj be the cardinality of Kj, for j = 0, 1. Since the transition 
diagram of F\ is strongly connected and has a receive cycle, hi — > hi for some Wi € such 
that 1^(^1)1 < 2(ki — 1) and |7r a (iui)| > (2ki — l)(k — 1) + 1. By affinity h ho for 
some wqG'Eq such that ir a {wo) = ^a{wi) and 7173 (wo) = tt/3(wi). It follows that u>o contains 
a substring vq of length \vq\ > ko that has no symbol +b. Since Fq has kg states, the path 
corresponding to vq contains a cycle; hence Fq has a send cycle. □ 

The proof of 16. 31 uses the following two lemmas. 

Lemma 6.7 If there is a reachable global state ((po,Pi), (x a , xp)) with \x a \ > k then there 
is a reachable global state ((po, qi), {y a , A)) with \y a \ > k. 

Lemma 6.8 If the pair of affine machines is deadlock-free then for any wq such that 
ho Po there exists a path in the global state space, starting in (S°,C°), whose image 
in F is labelled Wq . 

Proof of 16.71 There are ho ^§ po and hi — > pi such that 7T a («;o) = ir a {wi)x a and 
itp{wo)xp — 7173(101). Find a prefix vi of i«i such that irpiwi) = %p{vi)xp. We have hi -4 qi 
for some q\ GKi. Since 7r a (wi) is a prefix of n a (wi), we can write ir a (wi) — ir a (vi)y' a for 
some y' a G M*. Set y a = y' a x a \ then TTp(wo) = np{v\) and n a (w Q ) = ir a {vi)y a . Therefore 
((Po > Qi ) . (j/a. A)) is reachable. □ 

Proof of 16. 81 First observe that we can assume, without loss of generality, that p n = h n 
(because the path can be extended to ho). Now, by affinity, there is wi such that hi — + hi, 
Tt a {w{) — TT a (wo) and np(wi) = irp(wo). In the global state space, find the longest path 
that starts in (5°, C°) and whose image in Fj is labelled by a prefix Vj of Wj, for j = 0, 1; 
denote by (S, C) = {(qo,qi),(x a ,xp)) the end node of the path. We want to show that 

V = Wq. 

Assume wo 7^ vo, wq = vo^ u o for some eeEg and uoGEq- Distinguish several cases: 

-6 ~ b 

I. qo is a send state; then e = — b for some & £ M a , and go - * <7o m Fo- Thus (S,C)\ — 
((<7o)<7i)j (^a^j^))) which contradicts the maximality of the path. 

II. qo is a receive state and xp ^ A. Then e = +&, 6 Mjg, and b is the first symbol in xp. 
Thus go 9o m -^bi and again the path in the global state space is not maximal. 

III. qi is a receive state and x a 7^ A. This leads to a contradiction as in case II. 

IV. Both qo and qi are receive states and x a = A = xp; this contradicts the assumption that 
the protocol is deadlock-free. 
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V. qo is a receive state, xp = A and qi is a send state. Then e = +b, beMp and by affinity 
<7i — ► g^. Again, the path is not maximal. 

Thus in each case the assumption wq ^ vq leads to a contradiction. We conclude that 

Wq = Vq. □ 

Proof of 16.31 By 16.21 and 16.71 if the protocol has no send cycles then it has the 
bounded channel property. 

Conversely, assume that, for example, Fq has a send cycle. Thus there are po GKq and 
uq € Eq such that po ^ u o 7^ A and irpiuo) = A. Denote y Q = 7r Q (uo). By Lemma |6. 81 
there are p%, x a and xp such that the global state {(po,Pi), (x a , xp)) is reachable. It follows 
that, for every integer i > 0, the global state {{po,Pi), (x a y l a , xp)) is reachable, and therefore 
the protocol has not the bounded channel property. □ 

Proof of 16.41 This algorithm solves the problem: 

1. Check whether there are any send cycles. 

2. If there are no send cycles, then (bv l6.2|l the protocol has the bounded channel property. 
Apply the exhaustive reachability analysis to decide deadlock-freedom. 

3. If there is a send cycle then, by Theorem 16. 31 the protocol is not deadlock-free or has not 
the bounded channel property. □ 



Proof of 16.51 Use the exhaustive reachability analysis. If any global state (S, (x a , A)) 
with \x a \ > &o(fci — 1) + 1 is reachable then, bv !6.2l the protocol is not affme and deadlock-free 
(i.e. it is not affine or it is not deadlock-free). 

If no such global state is reachable, then the protocol has the bounded channel property, 
and deadlock-freedom can be decided. Then affinity can be decided by Bird's algorithm; 
or alternatively it can be decided by a modified reachability analysis, since the two state 
machines differ by a "finite balance". □ 



7 Undecidable problems 

We have seen in the previous section that the following problems are algorithmically decid- 
able: 

• Given any pair of SR-machines, is it affinc? 

• Given any pair of affine SR-machines, is it deadlock- free and has it the bounded 
channel property? 

• Given any pair of SR-machines with no send cycles, is it affine and deadlock-free? 
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In this section we shall see that, in contrast to the previous results, some very similar 
problems are undecidable. Brand and Zafiropulo |Bra| prove the undecidability of several 
problems of this kind by reduction to the halting problem for Turing machines. The proofs 
in this section are somewhat similar to those in |Bra| . but it will be more convenient for us 
to use Post's tag systems instead of Turing machines. Every tag system can be encoded as a 
pair of SR-machines; the known undecidability results about tag systems yield the following 
theorem. 

Theorem 7.1 For pairs of communicating SR-machines, these problems are undecidable: 

(a) Given any protocol with no send cycles, is it deadlock- free? 

(b ) Given any deadlock- free protocol with no send cycles, has it the bounded channel prop- 
erty? 

(c) Given any affine protocol, is it deadlock-free? 

(d) Given any affine protocol, has it the bounded channel property? 

Theorem 17.11 and the results in the previous section pinpoint the frontier between the 
decidable and the undecidable for pairs of communicating SR-machines. Next we turn to 
more general protocols, and explore connections between the decidability properties and the 
topology of the underlying communication graph. 

For a directed graph G, denote by VG the corresponding undirected graph. Consider 
first any CFSM protocol (with communication graph G) for which VG has no cycles. (Of 
course, such protocols are hardly of any use. They allow no feedback.) As in Theorem 15. 21 
one can show that every path in the global state space starting and ending in global states 
with empty channels is locally equal to a path that uses only global states of the form 
(S, (xf. £e£7)), < 1. It follows that the stable composite state problem (and, in 

particular, the deadlock problem) is decidable for these protocols. 

On the other hand, all "practical" communication graphs lead to undecidable problems. 
The claim is made precise, for the stable composite state problem, in the following theorem. 

Theorem 7.2 If G is a directed graph such that VG has a cycle then the stable composite 
state problem is undecidable for the CFSM protocols with the communication graph G. 

The forthcoming proofs of 17.11 and 17.21 are based on known results about Post's tag 
systems; the results are collected in the appendix. 

The principal steps in the proof of 17. II are stated and proved separately in 17.31 17^1 and 

1731 
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Lemma 7.3 For every tag system T = (£, g, wq) there is a protocol of two communicating 
SR-machines Fq and F± with no send cycles such that 

(a) the protocol is deadlock-free if and only if s n (T) ^ A for all n; 

(b) the protocol has the bounded channel property if and only if there is a constant c such 
that |s„(T)| < c for all n. 

Proof of !7.3l For each 6sE create two new symbols b a and bp; define M a = { b a \b£ 
S } U {/} and Mp = { bp \ b G S }, where / is a new symbol. The machine F has a 
single receive state ho, which is also its initial state, and one send state pb for every 6gS, 
with transitions ho + —> pb and pb ho. Thus Fq is a repeater (or a perfect transmission 
demon): it sends b a whenever it receives bp. 

The machine F% simulates the tag system. It first transmits the string wq (subscripted by 
/3), and then it alternately receives any d a , receives any b a , and transmits g(d) subscripted 
by p. The transition diagram of F\ is schematically depicted in Fig. 7.1, where g(d) = 
gdogdi ■ ■ ■ 9dm{d) f° r every d £ E, and wq — d$d\ . . . d m . There is a transition q + —? qd for 
every Note also the "dummy" transition q ^» h%; it will never be used, but it makes 

the transition diagram strongly connected. Neither Fo nor F± has a send cycle and if \g\~ > 
then they have no receive cycles. 

The pair (Fo, Fi) simulates the tag system T in the following sense: For w^Awe have 
w = s„(T) for some n if and only if the global state ((ho, q), (w a , A)) is reachable; and 
A = s„(T) for some n if and only if either ((ho, q), (A, A)) or ((ho, qd), (A, A)) for some d£ E 
is reachable. 

This proves (a) and, in view of Lemma \6. 71 also (b). □ 

Lemma 7.4 For every pair of communicating SR-machines Fq and F[ we can construct an 
affine pair Fo, F± such that either both pairs are deadlock-free or none is. 

Proof of 17.41 Let the channel alphabets be M' a and M'p. Let and #p be two 

new symbols (not in M' a U M'p) and define M a = M' a U {#„} and Mp = M'p U {#/?}. We 
construct Fq and F±, with the corresponding relations Zo and Zi (defined in section 6) both 
equal to 

{ (u a #a,up#p) | u a eM'* , upeM'p* }* . 

First we modify Fq and F[ so that no transitions lead to the initial states h' and h[. This 
is arranged as follows in Fq (and similarly in F{): Add a new state p . Add the transition 
p A p whenever p A ft, Q in Fq, and add po p whenever /iq A p in Fq. Then delete all 
transitions leading to h' Q . The resulting diagram is not strongly connected, but otherwise it 
satisfies all the properties of an SR-machine. The deadlock-freedom is not changed by the 
modification. 
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Fig. 7.1. The transition diagram of F\. 
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The next step in the construction of Fq is illustrated in Fig. 7.2 (it is again the same 
for Fi). Add two new send states s and s' and a new receive state r. For each send state 
p (including h' if it is a send state) add the transition p — s° r, and add p —> s' whenever 
p — » not in Fq. For each receive state p (including h' if it is a receive state) add the 
transition p + —> 3 s, and add pi's' whenever p i» not in Fq. Also, add s' -5° r, 7' »^ /j 0) 
s ^> a /i ; s' — > s' and s — > s for every b € ; and r ^ r for every b <E . Call the resulting 
SR-machine Fq, and call Fi that constructed in the same way from F[. 

If h' — > /ig in Fo, w ^ \, and if Tig — > /i for no proper nonempty prefix u of it;, then 
7ra(w) = for some it Q € M£* and ^(to) = upfip for some it^ £ M^*. Conversely, 

for any u a e M£* and U3 € Mg* there exists it) such that h' Q — * h' Q , n a (w) = w Q # Q and 
np{w) = U/3#p. Therefore 

Z = { (u a # a ,u p # fj ) | u a eM'* , upeM'p* }* . 

For the same reason, Zi is equal to the same relation. Hence F and Fx are affine. 

Every reachable deadlocked global state for the pair (Fq,F{) is reachable for (F ,Fi). 
At the same time, no additional deadlocked global states are reachable for (Fq,Fi); if, for 
example, Fq is in its state r and the channels are empty then F\ must be in its state s, 
which is not a receive state. □ 



Lemma 7.5 For every pair of communicating SR-machines Fq and F[ we can construct 
an affine pair Fq, Fi such that either both pairs have the bounded channel property or none 
has. 

(Note that, in view of 16.41 the constructions in 17.41 and 17.51 cannot be combined. More 
precisely, it is not true that for every Fq and F[ we can construct an affine pair Fq , Ft such 
that both the deadlock-freedom and the bounded-channel property are shared by the two 
pairs.) 

Proof of 1731 As in the proof ofQ we define M a = M^U{# a } and M = M^U{# (3 }. 
We construct Fq and F\ such that the corresponding relations Zo and Zi are both equal to 

{ (m q # q # q ,M / 9# / 3# / 3) I U a ^M'* , UpGM'p }* . 

Again we first arrange that no transitions lead to the initial states h' and h\ . The next 
step is shown, for Fq, in Fig. 7.3. Add four new receive states r, r', r" and r'" and two 
new send states s and s'. For each send state p (including h' if it is a send state p) add 
the transition p ^> a r" , and add p — > r whenever p — > not in Fq. For each receive state p 
(including h' if it is a receive state p) add the transition p r' , and add p^r whenever 
p ±5 not in Fq\ Also, add r + *" r' , r' + * s, s "4° s' , r" + *" r'" , r'" + * s', s' h' ; 
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Fig. 7.3. The construction of Fq in the proof of 17.51 
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r — » r and r" — > r" for every b £ M^; and s — > s for every b S M^. Call F the resulting 
SR-machine, and call F\ that constructed the same way from F[. As in the proof of 17. 41 it 
now follows that 

Z = Zj = { (« Q #a#ait»/S#/9#/j) I WaSM^* , tt^GAf^ }* . 

The construction creates new reachable deadlocked global states. In fact, the protocol will 
never get over the states r' and r'"; hence no global state containing s or s' is reachable. 
It follows that the loop at s will never be entered and, therefore, the pair (F ,Fi) has the 
bounded channel property if and only if (Fq, F{) has. □ 

Proof of 17.11 (a) follows directly from Theorem A.l (in the appendix) and 7.3(a). 

Similarly, (b) follows from A. 3, 7.3(a) and 7.3(b). (Observe that the construction 17 . 31 is 
such that if the tag system T = (E, g, wq) satisfies \g\~ > then the protocol has no receive 
cycles. Hence the problems (a) and (b) are undecidable even for the protocols with no send 
and no receive cycles.) 

To prove the undecidability of (c) , we combine the already proved case (a) with 17.41 
Similarly, (d) follows from (b) and 17. 51 □ 

The forthcoming Lemma f7. 61 will simplify the proof of 17.21 Say that two finite directed 
graphs are homeomorphic if one can be transformed to the other by a finite sequence of 
elementary replacements, each of which either replaces an edge — » 1 by two edges — » 
2 — * 1 (where 2 is a new vertex) or vice versa. For example, the two graphs in Fig. 17.41 are 
homeomorphic . 

Lemma 7.6 Let G and G be two homeomorphic graphs. The problem "Is a given composite 
state stable?" is decidable for every CFSM protocol with the communication graph G if and 
only if it is decidable for every CFSM protocol with the communication graph G' . 

It will be obvious from the proof of 17.61 that the same result holds for the deadlock 
problem, the bounded-channel problem, etc. 

Proof of 17. 61 It is enough to prove the result under the assumption that G' is produced 
from G by a single elementary replacement, which replaces 0— > 1 by — > 2 — > 1. Assume 
this is the case. 

Let the problem be decidable for every CFSM protocol with the communication graph 
G, and let P' be a protocol with the communication graph G' . Using the abstract flow 
control argument of sections 5 and 10 (with the highest priority at the node 2), we can 
confine ourselves to the global states in which the channel from to 2 contains at most one 
symbol, and we do not lose any reachable global states of the form (S, C°). Now we combine 
the state of the machine at 0, the state of the machine at 2, and the content of the channel 
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Fig. 7.4. Two homeomorphic graphs. 
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0^2 into a single state; this transforms P' into a protocol with the communication graph 
G. It follows that the problem is decidable for G' . 

Conversely, assume that the problem is decidable for G' . Every CFSM protocol with 
the communication graph G can be transformed into one with the communication graph 
G' by including a repeater (perfect transmission demon) at the node 2. It follows that the 
problem is decidable for G. □ 

Proof of 17. 21 Clearly it suffices to prove the undecidability for every graph G for which 
VG is a circle. When VG is a circle, there are two possibilities: Either G itself is a (directed) 
cycle or G is acyclic as a directed graph. Since every directed cycle is homeomorphic to the 
graph <^ 1 , the case of G being a cycle is taken care of bv l7.1f a1 (or 17. If c)) and 17.61 

It remains to be proved that the stable composite state problem is undecidable for every 
acyclic graph G for which VG is a circle. The proof is based on the undecidability of modified 
Post's correspondence problem (MPCP). Recall |Hop| that an instance of MPCP consists 
of two lists x = (xq,Xx, . . . , x n ) and y = (yo, y\, . . . ,y n ) of strings over an alphabet E. The 
instance has a solution if there is a sequence of integers ji , j 2 , ■ ■ ■ , jk such that 

x x h . . . x 3k = y Q y h . . . y 3k ; 

The sequence jxij%i ■ ■ ■ ,jk is called a solution for the instance of MPCP. It is known that 
the problem "Given an instance of MPCP, has it a solution?" is undecidable ( |Hop| , 8.5). 

Every acyclic graph G for which VG is a circle is homeomorphic to the graph in Fig. 7.5, 
for some m > 0. Hence the undecidability result follows from 17.61 and from this lemma: 

Lemma 7.7 For the graph G in Fig. 7.5 and for every instance of MPCP there exist a 
CFSM protocol with the communication graph G and a composite state S such that S is 
stable if and only the instance of MPCP has a solution. 

Proof of 17.71 Let E be the alphabet of the instance of MPCP. For every edge £ in G, 
the channel alphabet is defined to be { b^ | be E }, where the symbols are chosen so 
that the sets are pairwise disjoint. 

All the finite state machines except the one at are simple comparators: Those at the 
even numbered nodes (except 0) send the same sequences of messages to both channels, 
those at the odd numbered nodes receive the same sequences from both channels. For 
example, the machine at 1 has the initial state hi and a separate state pt, for each b G E, 

+b ao +b ai 

with transitions hi — > pt and pi, — > hi- 

The machine at is capable of sending, for every infinite sequence of indices ji, j2, • ■ ■, 
the sequence of messages 

(^0)a2m + l )«2m + l • - • 
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Fig. 7.6. A machine to simulate MPCP. 



on the channel ct2m+i, and the sequence 

{yo)a {Vj 1 ) ao ■ ■ ■ 

on the channel otQ. A schematic transition diagram is in Fig. 7.6. The composite state 
S = (go, hi, /12, ■ ■ ■ , h-2 m +i) is stable if and only if there is solution of the MPCP. 

This completes the proofs of l7.7l and l7.2l □ 



8 Rational channels for cyclic protocols 

The results in the previous section show that general CFSM protocols can, with the help 
of their infinite channels, simulate arbitrary computation processes. It is for this reason 
that the reachability problems are undecidable. However, we are primarily interested in 
the protocols that use their channels more simply. Can we disqualify the CFSM protocols 
that, by using the channels as an infinite memory, simulate general computations? Can the 
"simple channel property" (or, more precisely, the property of "the channels being used in a 
simple manner" ) be formalized? One sufficient condition for this kind of channel simplicity 
is the bounded channel property. Two more general conditions are offered in this section. 

The popular classification of verification techniques for communication protocols dis- 
tinguishes between reachability analysis and program proofs |Bol| . Traditionally, program 
proofs have been used to verify the protocol properties that are not amenable to reachability 
analysis. Our present aim is different: The primitive assertion proving technique proposed 
below is more powerful than the exhaustive reachability analysis, but it stays within the 
realm of reachability properties. 

Rather than treating the reachability analysis and program proofs as two opposites, 
we shall regard the former as a simple special case of the latter. (Bochmann alludes to 
this perspective in |Bo2| . p. 649.) In this view, illustrated by the following example, the 
reachability analysis of a bounded-channel CFSM protocol is a method for constructing and 
proving a set of simple assertions attached to composite states. 

Example 8.1 The purpose of the protocol is to limit the total number of messages simul- 
taneously in transit (ie. the total number of buffers needed). In the example, the limit is 
two. (Any other limit can be used. The larger the limit, the more states the finite state 
machines have.) The protocol assumes error-free channels. Data messages arc transmitted 
in both directions. There are three message types: 

DATA data message, 

ACK acknowledgement of DATA, 

RELE releasing buffer. 
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Initially, each channel is allocated one buffer. Either transmitter can release a buffer, which 
is then used for transmissions in the opposite direction. The two finite state machines are 
identical. Fig. 8.1 shows their transmission diagrams and the communication graph. 

Fig. 8.2 is the complete global state space of the protocol. (We write D=DATA, R=RELE 
and A=ACK.) The global state space is finite; from it one can read various reachability 
properties: The total number of messages in transit is at most two, the protocol is deadlock- 
free, etc. Fig. 8.3 shows a different data structure, which contains the same information as 
Fig. 8.2 (when Fig. 8.1 is known). The table in Fig. 8.3 lists, for each composite state, the set 
of all possible channel contents. We can regard each entry in the table as an assertion. For 
example, the entry {(DATA, A), (RELE, A), (ACK, A), (A, DATA), (A, RELE), (A, ACK)} at (03,10) 
asserts: If the state of Process is 03 and the state of Process 1 is 10, then the channel 
content is (DATA, A) or (RELE, A) or (ACK, A) or (A, DATA) or (A, RELE) or (A, ACK). 

The assertions in Fig. 8.3 can be written more compactly. E.g. the entry at (03, 13) 
is the relation {(x,y) \ \x\ + \y\ = 2}, the entry at (00,13) is the relation {(x,y) | |x| + 
\y\ = 1}, etc. Quite simply, the protocol implements a distributed counter. However, an 
automatic assertion verifier would have to be considerably more intelligent to understand 
such descriptions. 

From the table in Fig. 8.3 we can read, for example, that the composite state (01, 13) is 
stable, and that no message can arrive at 02. (End of Example 8.1.) 

In this view, the exhaustive reachability analysis is a method for constructing and ver- 
ifying the correctness of tables whose entries are finite sets of channel contents. One can 
argue that the table, or a portion of it, should be a part of the protocol description, because 
it offers an additional insight into the structure of the protocol. This is especially true if 
the protocol has not the bounded channel property. In that case the entries in the table are 
infinite sets, and the complete table cannot be constructed by the exhaustive reachability 
analysis. If the table is supplied together with the CFSM description then the analysis 
algorithm need not construct the table, it merely has to verify its correctness (consistency) . 

The distinctive feature of the exhaustive reachability analysis is that the domain of 
assertions (the language that they are formulated in) is extremely simple, and therefore 
analysis can be efficiently automated. On the other hand, the method has several limitations. 
Here we address its inability to analyze protocols with unbounded channels. 

Generally speaking, the way to overcome the limitations of any assertion proving system 
is to extend the domain of assertions; in doing so we trade simplicity for power. A natural 
extension of the exhaustive reachability analysis is to use more general relations, instead 
of finite ones, in the assertions. Two important families of relations have been extensively 
studied in the last ten years, the recognizable and the rational relations; their basic properties 
can be found in |Berj and |Eil| . Every finite relation is recognizable and every recognizable 
relation is rational. 
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Fig. 8.1. A simple flow control protocol. 
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Fig. 8.2. The global state space. 
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Fig. 8.3. Another description of the global state space. 



We are going to extend the assertion domain by using recognizable and rational rela- 
tions in place of finite ones. We gain power (ability to analyze protocols with unbounded 
channels), while not losing all the simplicity: The assertion verifier will have to be smarter 
but still fairly simple. 

Definition 8.2 Let P be a CFSM protocol. Say that P has the rational channel property 
if the relation 

L(S) = { C | (5°, C°) R (S, C) } c X Ml 

is rational for each composite state S6 X Kj . Say that P has the recognizable channel 
property if L{S) is recognizable for each S. 

Thus the bounded channel property implies the recognizable channel property which in 
turn implies the rational channel property. 

In this section we concentrate on cyclic protocols. We return to general CFSM protocols 
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in the next section. As we have seen in Theorem 15.21 cyclic protocols have the property 
that unbounded channel growth can be confined to a single channel. 

Theorem 8.3 For any cyclic CFSM protocol V the following jour conditions are equivalent: 

(a) P has the recognizable channel property; 

(b) P has the rational channel property; 

(c) for every (3 EE and for every composite state S , the set 

Q p (S) = {x p £M* | {x i :^eE)eh(S) and a* = A for f ^ (3 } 

is regular; 

(d) there exists (3 EE such that the set Qp(S) is regular for every S. 

Thus the recognizable and the rational channel property coincide for cyclic protocols. 
We shall see later that this is not the case in general. 

The sets Qp(S) of ThcoremlOare consistent, in this sense: If (S, (x 5 :£eE)) |— * (S', {x' £ :£€E)), 
x^ = x'^ = A for £ ^ (3, and xp EQp(S) then x'p EQp(S'). At the same time, there is an effi- 
cient algorithm to decide whether a given family of regular sets Q(S), indexed by S E X Kj, 

jeN 

is consistent (with respect to (3 and P). 

Moreover, a consistent family Q(S) such that XeQ{S°) and A ^ Q(S) constitutes a proof 
that (S,C°) is not reachable from (S°, C°)(i.e. that S is not a stable state). Consequently, 
if a cyclic protocol has the rational channel property then for each non-stable S there is an 
automatically verifiable proof that S is not stable. 

The foregoing discussion is summed up in Definition 18.41 and Theorems 18.51 and 18.61 

Definition 8.4 Let P be a CFSM protocol, f3 € E, and let Q{S) CM* for every SeX^j. 
Say that the sets Q(S) are consistent (with respect to P and /3) if 

(S,(xf.£eE)) h* (S',(x'^.iGE)), 2^ = 4 = A for ^(3, and xp€Q(S) 
imply x' p eQ{S'). 

Theorem 8.5 There is an algorithm to decide whether any given family of regular sets 
Q{S) is consistent (with respect to a given cyclic P and a given (3). 

Theorem 8.6 Let P be a cyclic CFSM protocol with the rational channel property, and let 
(3gE. A composite state S' is not stable if and only if there is a consistent family of regular 
sets Q(S), Se X Kj, such that XeQ(S°) and A £ Q{S'). 

j£N 

The following corollary to 18 . 51 and 18 . 61 shows that the rational channel property indeed 
prevents, in an essential way, the cyclic protocol from using channels as a general infinite 
memory. 
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Corollary 8.7 The deadlock problem is algorithmically decidable for cyclic CFSM protocols 
with the rational channel property. 

The algorithm in the proof of 18.71 (at the end of this section) is awfully inefficient; it 
exhaustively searches for the proof of deadlock-freedom. However, once the proof is known, 
it can be efficiently verified. Therefore it makes sense to require that the protocol designer- 
supply the proof (in the form of channel expressions) as a part of the protocol description. 
The description of a protocol by means of CFSM augmented with channel expressions will 
be exhibited in Example 18.91 The description is substantially abridged with the help of the 
simple result in the forthcoming Theorem 18.81 It says that one need not supply the sets 
Q(S) for all S; it is sufficient to describe Q(S) for sufficiently many S, and all the other sets 
Q{S) can be automatically computed. 

Theorem 8.8 Let P be a cyclic CFSM protocol and f3 G E. For each j S N, let Vj C Kj 

be a set of states such that hj G Vj and if pj — > qj , pj , qj G Kj , then qj G Vj . Then there 
is an algorithm to decide whether any given family of regular sets indexed by S G /\ Vj 

can be extended to a consistent family of sets Q(S) indexed by 5g X Kj. Moreover, if the 

jeN 

family can be extended than the smallest such sets Q(S) are regular and can be automatically 
constructed. 

The proofs of the results in this section come after the following example, which illustrates 
the proposed proof method. 

Example 8.9 This is a variation of the alternating bit protocol described in section [5] In 
the present version both stations take turns in transmitting and receiving data packets. The 
communication graph is again as in Fig. 8.4. 




Fig. 8.4. The communication graph. 
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+EVA 

+ODA 
+EDA 



-EDA 



Fig. 8.5. Demon 2. 

Demon 2 and Demon 3 are identical. Demon 2 is denned in Fig. 8.5; Demon 3 differs 
only in state numbers (30, 31, . . . instead of 20, 21, . . . ). Processes and 1 are denned in 
Fig. 8.6. They differ only in the starting state. 

Theorem 18 . 81 applies for these sets Vj\ 
Vq = {00,01,02,04}, 
V l = {10,11,12,14}, 
V 2 = {20}, 
V 3 = {30}. 

This reduces the number of the sets Q(S) that have to be specified from 6x6x7x7 = 1764 

3 

to 4 x 4 x 1 x 1 = 16. The sets Q a (S) for SeX V 3 are listed in Fig. 8.7. (Recall that, 

in agreement with the notation in Theorem 18.31 Q a {S) is the set of all possible contents 
of the channel from Process to Demon 2 when the other channels arc empty.) Each Kj, 
j = 0, 1, 2, 3, contains one receive state: the protocol is deadlock-free if and only if the global 
state ((04, 14, 20,30), C°) is unreachable. Since the (04,14,20,30) entry in Fig. 8.7 is the 
empty set, the protocol is deadlock-free. 
(End of Example iU) 
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EV* ED* U 
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ED* EVA* U 
ODA* EVA* 


EVA* ODA* 


EVA* U ODA* 






Fig. 8.7. Q a {(p, q, 20, 30)) for pe{00, 01, 02, 04} and ge{10, 11, 12, 14}. 

The proofs of the results in this section follow. Several proofs use the "priority argument" 
informally; it could be formalized as in the proof of llU.ll 

First we establish two lemmas that will be needed in the proof of 18.31 

Lemma 8.10 Let Mi and Mi be two alphabets. If R C M* is a regular set and L C 
M* x M£ is a rational relation then the relation 

L\R = {{x,y)&M* x Ml \ 3z : zxeR and (z,y)eL} 

is recognizable. 

Proof. Let F — (K, M\,T, h, A) be a deterministic finite automaton accepting R; 
we use the notation of |Hop| . For each p 6 K, denote Rh P the language accepted by 
(K, Mi,T, h, {p}), and R p a the language accepted by (K, Mi,T,p, A). Define 

L(R hp ) = { y&Ml I 3xeR hp : (as,y)eL } . 

Now 

L \ R = [j R pA x L(R hp ) 

peK 

and each ~L(Rh P ) is regular. It follows that L \ R is recognizable. □ 

Lemma 8.11 Let P be a cyclic CFSM protocol with the communication graph G — (N,E) 
where E = {a 0l ai, . . . ,a m }, —cto = +a m , ~a x = +a , ■ ■ ., -a m = +a m -f. 
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If (5", C") is a reachable global state such that C ~ (x^ : £<EE), x ai = A for k + 1 < i < m, 
then there are a reachable global state (S, C) and a path V from (S, C) to {S 1 , C) such that 

(a) C = (y s : £eE), y ai = A for k < i < m; 

(b) Inii(r) is a trivial path (of length 0) for each i ^ 

Proof. We use the same priority argument as in the proof of 15. 21 There is a path from 
(S°,C°) to (S',C); rearrange it by giving the lowest priority to the node +ctk = — otk+i- 
Let F be the longest suffix of the rearranged path for which (b) holds. Let (S, C) be the 
starting global state of T. Then C = (y^ : £&E) must satisfy (a): If y ak+1 ^ A then V could 
be made one step longer; if y ai ^ A for some i > k + 1 then T could not lead to (S', C). □ 

Proof of 18.31 Clearly (a)=>(b) and (c)=>(d). To prove the implication (b)=>(c), ob- 
serve that 

Qp{S) x X {A} = L(5) n { {x t : £eE) | a* = A for ^ P } ■ 

The relation {(x^ : £&E) | = A for £ ^ /?} is recognizable, hence the right hand side is 
rational ( |Ber| . p. 57). Since Qp(S) is a homomorphic image of the left hand side, it follows 
that Qp{S) is regular. 

It remains to be shown that (d)=>(a) (this is the only part of the proof that uses the 
fact that P is cyclic). Assume, without loss of generality, that E = {ao, o>i, . . . , a m }, 
—ao = +a m , —ai = +ao, ■ ■ ■, — cc m = +ot m -i, and (3 — ao. By induction on k we show 
that the relation 

L fc (S) = { (x 5 : £eE) € L(S) \ x ai = A for k + l<i<m} 

is recognizable for < k < m and every S. As L m (5) = L(5), this proves (a). 

Induction basis: Lo(5) = Qp(S) x X "M and Qp{S) is regular, hence Lo(5) is recog- 

nizable (for every S). 

Induction step: Assume that < k < m and Lfc(iS) is recognizable for every S. Thus 

r(S) m 
U(S) = M X Qui{S) , 

u=0 4=0 
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where every set Q V i{S) is regular, Q U i(S) C M * , and = {A} for fc < i < m. 

For each ft, the relation Lfe + i(S") can be expressed in terms of the relations Lfc(iS), 
5 G X Kj, and the finite state machine F n — (K n , £ n , T„, /i„), where n = +ak = — &k+i' 

jEN 

Write ft = (pj : jEN) and for every q E K n denote by R(q) C Af* fc x M* the rational 
relation defined by the transducer 

(K n , M ak , M ak+1 ,T n ,q, {p n }) . 

Let S'(q) = (qj : jEN) where qj = Pj for j ^ n and q n = q. By Lemma Ill 

m 

X x (R(g)\Q„ fc (S'(g))) 

in the notation of Lemma 18. 101 Hence Lfe+i(S") is recognizable bv l8.10l □ 

The next two lemmas . 18.121 and 18 . 1 31 are used in the proof of 18. 51 

Lemma 8.12 A family of sets Q(S) is consistent (with respect to a cyclic protocol P and 
an edge (3 EE) if and only if the following three conditions are satisfied: 

(a) If(S,(x e ;£GE)) P (ft, : bEMp, x ( 
then x'pEQ(S'). 

(b) If(S,(x e ;Z&E)) h bEMp, x 6 
then x'pEQ(S'). 

(c) If there is a path T from (S, C ) to (ft, C°) whose no step is labelled +b or —b, bEMp, 
then Q(S) C Q'(S'). 

Proof. Observe that (c) is equivalent to the following, formally stronger, condition: 

(d) If there is a path V from (S, (x ( : f €£)) to (ft, (x£ : £ G E)), X£ = x' £ = A for £ ^ ft 
xpEQ(S) and no step in T is labelled +6 or —6, bEMp, then = x'pEQ(S'). 

It is clear that (a), (b) and (d) each are necessary for the consistency of Q(S). To prove 
that the three conditions together are also sufficient, take any path T in the global state 
space, say from (S,(x^: £,EE)) to (ft, (a^ : £ G Ej), such that x% — x'^ = A for £ ^ /? 
and rr^ G Q{S). Using the priority argument again, rearrange T so that j/j = y£ = A for 

whenever (ft, (y f : £eE)) h (ft,(^:£G£)) or (ft,( % :£e£)) h (ft, : 
is a step in the rearranged path. Thus the rearranged path is a concatenation of paths to 
each of which either (a) or (b) or (d) applies. It follows that x'p EQ(S'). □ 



r(S'(q)) 
L fe+1 (ft) = (J U 
qEK n f=0 



= x'^ = A for £ ^ ft and G Q(5) 
= = A /or £ y£ ft and X/j G Q(5) 
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Lemma 8.13 Let P be a cyclic CFSM protocol and € E. Then there is an algorithm 
to find, for any composite state S, every composite state S' for which there is a path from 
(S,C°) to (S',C°) with no step labelled +b or -b, beMp. 

Proof. Construct the following directed graph H . The nodes of H are the composite 
states of P. There is an edge in H from Si to 5*2 iff there exists £ £ E, £ ^ j3, such that 
Si = (p 3 : jeN), S 2 = {q 3 : j€N), p 3 = q 3 for j ^ +£, and p_ ? ^ q- ( , p +i ±5 q +( for 
some b€M^. Now S' can be reached from S by a directed path in H if and only if there is a 
path r from (S, C°) to (5", C°) in the global state space such that no step of T is labelled +b 
or —b, b^zMp. Hence the property can be decided by the standard reachability (transitive 
closure) algorithm in the graph H. □ 

Proof of !8.5l To prove that there is an algorithm to decide the consistency of a family 
of regular sets Q{S), we construct algorithms to decide the properties (a), (b) and (c) in 
Lemma 18.121 

It is easy to check (a). The condition says that if p q in F+p, S = (pj :j£N), 
S' = (qj : jeN), pj = q 2 for j ^ +/3, p +[j = p and q +p = q, then 

{ x | bxeQ{S) } C Q(S') . 

The inclusion is algorithmically decidable for regular sets Q(S) and Q(S'). 
A similar algorithm decides (b). 

The algorithm to decide (c) has two components. The first, based on the algorithm in 
Lemma T8. 131 finds every pair of composite states S and S' for which there is a path T from 
(S,C°) to (S',C°) whose no step is labelled +b or —b, b€Mp. The second component of 
the algorithm checks the inclusion Q(S) C Q(S'). □ 

Proof of 18.61 Let P be a cyclic CFSM protocol and (3 G E. If a composite state 
S' is not stable then there is a consistent family of regular sets, namely the sets Qp(S) of 
Theorem IO such that \eQ f j{S°) and A g Qp{S'). 

Conversely, if S' is stable then (S°, C°) | — * (5', C°); hence for any consistent family of 
sets Q(S), regular or not, such that X^Q(S°), we must have XgQ(S'). □ 

Proof of 18.71 An algorithm to decide the deadlock problem combines two semialgo- 
rithms, one of which always terminates. 

The first searches for a deadlock, using the exhaustive reachability analysis. It terminates 
whenever the protocol allows a deadlock. 

The second semialgorithm searches for a proof of deadlock-freedom in the form of a con- 
sistent family of regular sets Q(S) such that AgQ(5°) and A ^ Q(S) whenever S consists 
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solely of receive states. It terminates if the protocol is deadlock-free. 



□ 



Proof of 18.81 Construct a finite state automaton F with A-transitions as follows: 
The states of F are the composite states of P. There is a A-transition from S\ to $2 in 
F iff the graph H in the proof of 18.131 has an edge from S\ to 5*2. There is a transition 
from Si = (pj : jeN) to S 2 = {q 3 - jeN) labelled b, beMp, iff Pj = q 3 for j ^ +/3 and 
p + p ^> 9+/3- Write S" A 5, meMl if the automaton F can move from 5' to 5 by reading 
w. 

For a given family of regular sets Q(S), Se X Vj, define 

jeN 

Q(S) = { yeM* p I 35'e X Vj 3xeM* : S' A S and xyeQ(S') } 

for every S&/\Kj — X Vj. 

jew jeN 

Both the given sets and the newly defined ones are regular. In view of 18.51 it is now 
sufficient to prove this lemma: 

Lemma 8.14 If there is a consistent family Q'(S), Sg X Kj, such that Q'(S) = Q{S) for 

jeN 

every S G X Vj, then 
jeN 

(a) Q(S) C Q'(S) for every S G X-Kj ; and 

jeN 

(b) the family Q(S), S e X Kj , is consistent. 

jeN 

Proof. (a) Let x G Q(S), Se X Kj • - X Vj. Write C=(^:^£) where xp = x 

jeN jeN 

and x^ = A for £ ^ /3. From the definition of Q(S') it follows that there are 5' G X V, and 

jeN 

C = (a£ :S,eE) such that a£ = A for £ ^ /?, x'^GQ(S') = Q'(S') and (S',C) h* O^C). 
Hence xeQ'(S) and, since xGQ(S) is arbitrary, C Q'(S). 

(b) Let C = : (e£), C" = (a^ : £ G E), x^ = x' f = A for £ / /?, G Q(S') and 
(S',C) I — * (S,C). It is to be shown that x^eQiS). We distinguish three cases: 

I. Se X V^; then the inclusion in (a) and the consistency of Q'{S) imply that xp eQ(S). 

jeN 

II. S G X Kj - X Vj and 5' G X V, . Since (S', C) h* (5, C), there is a path T from 

jew jeAT jeJV 

(S 1 , C) to (5, C) in the global state space. We assume, again, that E = {a , «i, ■ • ■ , a m }, 
—ao — +a rn , —ai = +ao, ■ ■ •, — a m = +a m _i, and /3 = oq. As before, we rearrange the 
path r by using the highest priority at +a TO , the next at +a m _i, etc., with the lowest 
priority at +ao- In the rearranged path, let Tq be the longest prefix whose last step is 
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labelled —b, b£Mp, and let Ti be the remaining suffix of the path. Thus I\ is the longest 
suffix whose no step is labelled —b, b G Mp, and the path r ri is locally equal to T. The 
path T leads from (S',C) to {S",C"), say, with C" = (x£ : S, G E). From the choice of 
priorities it follows that S" G X Vj and x'f = A for £ ^ /3. At the same time, Ti defines a 

JEN 

sequence of transitions from S" to S in the automaton F; let yGMi be the corresponding 

input of F, i.e. S" ^ S. Then ya^ = x'^<EQ{S") and, therefore, xpGQ(S). 

III. S,S' £ X #j - X Vj. By the definition of Q(S'), there are S" 6 X Vj and C*" = 

j£N jEN jeN 

{x'l : £ E E) such that ^ = A for f ^ 0, a$ e Q(C") and (5",C") h* (5",C). Hence 
(S"', C") | — * (S 1 , C) and the result follows from the already proved case II. 

This completes the proofs of l8.14l and lQl □ 



9 Recognizable channels for general protocols 

By Theorem 18.31 the rational and the recognizable channel properties are equivalent for 
cyclic protocols. We begin this section by showing that the two properties differ in general. 

o; . 

Example 9.1 The communication graph is 1 ; both M a and Mp contain a single 

symbol: M a = {d}, Afg = {b}. The transition diagrams of the two finite state machines are 
in Fig. 9.1. We have 

L((00,10)) = {(d n .b n ) \ n > 0} 
L((00,11)) = {{d n ,b n+l ) |n>0} 
L((01,10)) = {(d n+1 ,b n ) | n > 0} 
L((01,ll)) = {(d n ,b n ) \n>0} 

All these relations are rational, but none is recognizable. 
(End of Example IP) 

The results in section |H1 (particularly Corollary 18. 7(1 suggest the following problem. 

Open problem 9.2 Is there an algorithm to decide whether an arbitrary CFSM protocol 
with the rational channel property is deadlock-free ? 

The present section gives a partial solution: There is an algorithm to decide deadlock- 
freedom for the CFSM protocols with the recognizable channel property. (This also yields 
another proof of 18. 71 ) The key property of recognizable relations needed in this theory, and 
not possessed by rational relations, is the decidability of inclusion. 

The following Definition IO and Theorems through O are analogous to EH EH El 
18.71 and 18.81 The results will be proved at the end of the section. 
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Fig. 9.1. 

Definition 9.3 Let P be a CFSM protocol, and let R(5) C X M? for SeX% Say that 

the relations R(5) are consistent (with respect to P) if (5, C) | — * (S",C) and CeR(S) 
imply C'eR(S'). 

Theorem 9.4 There is an algorithm to decide whether any given family of recognizable 
relations R(S') is consistent (with respect to a given ~P). 

Theorem 9.5 Let P be a CFSM protocol with the recognizable channel property. A global 
state (S',C) is not reachable if and only if there is a consistent family of recognizable 

relations R(5), Se X Kj, such that C° eR(S°) and C $ R(S'). 

jeN 

Corollary 9.6 The simple reachability problems (such as the deadlock problem) are algo- 
rithmically decidable for the CFSM protocols with the recognizable channel property. 

Theorem 9.7 Let P be a CFSM protocol. For each j G N let Vj C Kj be a set of states 

such that hj G Vj and if pj — > qj , pj , qj G Kj , then qj G Vj . There is an algorithm to decide 

whether any given family of recognizable relations indexed by S G X Vj can be extended 

3 eN 

to a consistent family of relations R(S) indexed by S G X Kj . Moreover, if the family 

can be extended than the smallest such sets R(5) are recognizable and can be automatically 
constructed. 

Theorem 19.71 should be compared with the similar result in the next theorem, which 
is analogous to placing intermediate assertions in program loops, as in the Floyd-Hoare 
invariant assertion method |Manj . 
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Recall that a feedback vertex set in a directed graph is a set of vertices that intersects 
every directed cycle in the graph. Thcorem l9.8l refers to feedback vertex sets in the product 
graph (of the protocol P). The nodes of the graph are the composite states of P, and the 
edge S — > S' is in the graph iff there exists i 6 N such that S — (pj : j£N), S' = (qj : j G N) , 
Pj = qj for j ^ i, and the edge pi — > qi is in the transition diagram of F±. 

Theorem 9.8 Let V be a feedback vertex set in the product graph of a CFSM protocol P. 
There is an algorithm to decide whether any given family of recognizable sets R(S') indexed by 
SeV can be extended to a consistent family of sets R(S') indexed by SE /\Kj. Moreover, 

if the given family can be extended then the smallest such sets R(<S), S E X Kj — V , are 
recognizable and can be automatically constructed. 

The results of this section are to be used to construct automatically verifiable proofs of 
reachability properties for the CFSM protocols with the recognizable channel property on 
general communication graphs, in the same way as the results in section[S]are used for cyclic 
protocols. The proofs are again in the form of tables; the entries are recognizable relations. 
Theorems 19 1 71 and 19 . 81 help us limit the size of the tables. 

The method in this section is in fact more general than the method of regular sets in 
section|Hl Indeed, we can construct a proof that a general global state (5, C) is unreachable, 
whereas previously we could only prove that (S, C°) is unreachable (i.e. that S is not stable). 
We can even decide certain second-order reachability properties: 

Theorem 9.9 LetP be a CFSM protocol with the recognizable channel property. LetbEMp, 
Pi E Ki, i = +/3. The message b cannot arrive at pi if and only if there is a consistent 
family of recognizable relations R(S I ), Sg X Kj, such that C° GR(5°) and if (x^ : £&E) G 

R((pj : jG-ZV)) then xp does not begin with b. 

Corollary 9.10 The problem "Can b arrive at pi?" is algorithmically decidable for the 
CFSM protocols with the recognizable channel property. 

Now we prove liOl through 19.91 

Proof of 19.41 Although the consistency of a family R(5), S G X-Kj, is defined in 

jeN 

terms of the relation | — * , it can be equivalently defined in terms of | — : The relations 
R(5) are consistent if and only if (S,C) \- (S',C) and C G R(5) imply C G R(S")- In 
other words, R(5 I ) are consistent if and only if these two conditions hold: 
(a) If S = (pj : j G N) , S' = (qj : J EN), i = +/3, pj = qj for j i, and pi % in Fi, then 

{{x'^.^EE) I 3(x 4 : £G£)GR(S*) : X£ = for £ ^ [3 and x = bx' & } C R(S') . 
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(b) If S = (pj : jeN), S' = {q-j : jeN), i = -/3, pj = q 3 for j ^ i, and p t ^ q, t in F u then 

{(4:£€£) | 3(x S : ?e£)eR(S) : a; s = x£ for £^ /3 and x p b = x' } C R(S') . 

Since these inclusions are decidable for recognizable relations, both (a) and (b) are decid- 
able. □ 

Proof of 19.51 The proof is similar to that of 18.61 If (S',C) is not reachable, then the 
relations L(5) of Definition ^ . 2l fulfill the condition. Namely, L(5) are consistent, C° £ L(5°) 
and C &L(S'). 

Conversely, if (S',C) is reachable then no consistent family of relations R(5), recogniz- 
able or not, satisfies C° eR(S°) and C £ K(S'). □ 

Proof of 19.61 As in the proof of 18.71 we combine two semialgorithms, one of which 
always terminates. 

Given a global state (S',C), the first semialgorithm searches for a path from (S°,C°) 
to (S',C). It terminates whenever (S',C) is reachable. 

The second semialgorithm searches for a proof of non-reachability of (S 1 , C), in the form 
of a consistent family of recognizable relations R(5) such that C° GR(5°) and C €" R(S"). 
Since the protocol has the recognizable channel property, the semialgorithm terminates 
whenever (S',C) is not reachable. □ 

Proof of 1913 Define 

+b +b 1 ...+b„ 

W + (q,p) = { . . . b n | h for 0<i<n and q >p} 

for q 7 peK + £ , and 

w+(s',s) = X^fe,?]) 

jew 

for 5' = (<7j : j&N) and 5 = (pj : jeN). For a given family of recognizable relations R(5), 

Se X Vj , define 

jew 

= U { (% : I ee^)eW+(S",S') : : £g£)gR(S') } 

S'e X y, 
jew 

for 5 G X ifj — X Vj- . All the relations R(5) , 5 G X -Kj , are recognizable, and Theorem l9.7l 

jew jeN jeN 

follows from this lemma: 
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Lemma 9.11 If there is a consistent family R'(S), S£ X Kj , such that R'(S) = R(<S) 

jeN 

for every S G X Vj , then 
3 eN 

(a) R(S) C R'(S) for every SG X K 3 ; and 

JEN 

(b) the family R(S), S£ X Kj , is consistent. 

jeN 

Proof of ETTJ (a) Let C G R{S) , S G X if j : - X V, . By the definition of R(5) , there 

jeN jeN 

is S"G XV 3 such that (S",C") h* (S,C) for some C'eR(S'). Since the relations R'(S) 

jew 

are consistent, it follows that CeR'(S). Hence R(S) C R'(5). 

(b) Let (5', C") (5, C) and C" eR(S'). We want to prove that CgR(S). We distinguish 
three cases: 

I. S G X Vj. Then the inclusion in (a) and the consistency of R'(5) imply CgR(S). 

jeN 

II. S G X ifj - X and S'eX V*. Since (S", C") \-* (S, C), there is a path T from 

jeN jeN jeN 

(S", C) to (S, C). There are two paths V and T" such that T'T" is locally equal to T, the 

end state (S",C") of r" satisfies S" G X Vj, and all the steps in T" are receptions (i.e. 

jeN 

are labelled +6). Since R'(S) are consistent and R'(S') = R(S') and R'{S") = R(S"), it 
follows that C" GR(5"). The path V" defines a vector (^:(e£)eW+(S",S), and with 
C = (y t : £G-E) we have (sc^ : £ G B) = C" G R(5"). By the definition of R(5) we get 
CeR(S). 

III. 5, 5' G X ifj - X Vj. By the definition of R(S'), there is a global state (S", C") such 

jew jeN 

that 5"G XV, , (S",C") h* (S',C) and C"eR(S"). Hence (S",C") h* ($C) and we 

jew 

apply the already proved case II. □ 

Proof of 19.81 We start with the given recognizable relations R(5), S G V, and first 

define relations R(5), for S g V, as follows. For Se X ifj - V, let R(5) be the set of all 

jew 

those C*G XM| for which there are S'eV, C'eR(S'), and a path from (S',C) to (5, C) 
ZeE 

such that no composite state S" along the path (except S') belongs to V. Since V is a 
feedback vertex set, no such path can pass through the same composite state twice. Hence 

the length of all such paths is bounded, and therefore the sets R(S), S G X Kj — V, are 

jeN 

recognizable and automatically constructive. The result now follows from this lemma: 

Lemma 9.12 If there is a consistent family R'(S), S G /\Kj, such that R'(S) — R(S) 

jeN 
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for every S&V, then 

(a) R(5) C R'(S') for every S; and 

(b) the family R(5), Sg X Kj , is consistent. 

jEN 

Proof of 19.121 is similar to, but simpler than, that of 19.111 

(a) LetCeR(5),5 , e Xifj— V. There are S' and C'eR(S') such that (S",C) h* 

jew 

Since the relations R'(5) are consistent, CgR'(5). Hence R(5) C R'(5). 

(b) Let (S", C") [~* (5, C) and C" eR(S'). We want to prove that CgR(S). We distinguish 
three cases: 

I. S <EV. Then the inclusion in (a) and the consistency of R'(S') imply C SR(S'). 

II. S V and S' G V. There is a path L from (S", C) to (5, C*). Let L", from (5", C") to 
(S, C), be the shortest suffix of T such that S" £ V. Thus L = FT", V leads from (S', C) 
to (S",C"), and C"eR(5"). No composite state along L" (except 5") belongs to V, hence 
CGR(5) by the definition of R(5). 

III. S 1 £ V and S" ^ V . By the definition of R(S"), there is a global state (S",C") such 
that S"eV, and a path from {S",C") to (S",C). Hence there is a path from (S",C") to 
(S, C), and the result follows from case II. □ 

Proof of 19.91 If b cannot arrive at pi then the relations L(5) of Definition 18 . 21 fulfill 

the condition. Conversely, if there is a consistent family of recognizable relations R(5*), 

S G s\Kj j such that C° G R(S' ) and x^g does not begin with b whenever : £&E) G 
jeN 

R(fe : jG^)), then, by Theorem 19. 51 no global state ((p^ : j&N), : £,€E)) in which cc^ 
begins with b is reachable. In other words, b cannot arrive at pi. □ 

Proof of 19.101 Again it is sufficient to show that if b cannot arrive at pi then there 
is an algorithmically verifiable proof. This follows from the previous results in this section 
and from the following: There is an algorithm to decide, for every recognizable relation 
Rc X Mi , every (3 e E and every b G Mp, whether there is (x% : £ G E) G R such that xp 

begins with b. □ 



10 Abstract flow control in general graphs 

We now return to the idea of abstract flow control, introduced in section [21 for cyclic graphs. 
Recall that our first aim is to limit the number of locally equal paths to be examined by 
the reachability algorithms. This alone is easily achieved; we can order all nodes of the 
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communication graph by assigning them distinct priorities, and thus select a unique path 
in every class of locally equal paths. 

However, not all such priority assignments are of equal value. Our second aim is to choose 
locally equal paths that use a small number of global states. Two methods for making the 
choice, leading to two different priority schemes, are described in this section. Then the 
priority arguments are applied to give a partial solution of the reachability problem for the 
rational channel CFSM protocols. 

Let r be a path in the global state space of a CFSM protocol. Suppose that Q(S, C) 
is a proposition applicable to every global state (S,C); that is, &(S,C) is a (true or false) 
statement for every (S,C). Say that $(5,(7) is true frequently along V if $(5, C) is true 
for at least one of every two consecutive global states along T. In particular, if is an 
edge in the communication graph and the statement "if C — (x$ : then xp — A" is 

true frequently along T, then the transmissions and receptions on the channel (3 are tightly 
coupled in the execution described by T; in other words, every symbol sent on (3 is received 
at once (in the next step). 

The first result uses collections of noncrossing boundaries in the communication graph; 
the concept is somewhat similar to the laminar collection of (or valuation on) directed cuts 
in a directed graph, in the sense of Lucchesi and Younger |Lucj . Let G = (N,E) be a 
directed graph. For A C N denote 



and call the sets d (A) and d + (A) the negative and the positive boundary of A. 

A set $ of subsets of N is smooth if for all A,Bg$ we have (i) A C B or (ii) BCior 
(Hi) An B = 9 and d~(Al)B) = d~(A) Ud~(B). 

Theorem 10.1 Let G = (N,E) be the communication graph of a CFSM protocol and let 
$ be a smooth set of subsets of N . For every path that ends in a global state with empty 
channels, there exists a locally equal path along which the following is frequently true: 



Proof of 110.11 Order the sets in $ in a sequence Ao, j4i, . . . , A n such that if Ai C Aj 



then i < j. Set Bq = Aq and Bk = Ak — I J Ai for k > 0. Let V be a path ending in a 



global state with empty channels. We rearrange T by executing the processes in Bq with 
the highest priority, those in B\ with the second highest, etc. 
Formally, if T contains two adjacent steps 



d-(A) 
d+(A) 



{ £<EE I +£eA and -i^A } 
{ £eE | -£eA and +^A } 



VAe* 3{3£d~{A) : if C={x i :£,eE) then x p = A . 




(Sud) h (S 2 ,C 2 ) 



51 



r 2 : (s 2 ,c 2 ) h (S 3 ,C 3 ) 



such that Imjj^i) and Inii 2 (r 2 ) are nontrivial paths, i\ G Bj 11 i 2 € -B J2 , ji > j 2 , and if it 
is not the case that e 2 = +5, 6 £ Mg, Ci = (av : ££E) and a;^ = A, then we replace the 

subpath Tir 2 in T by the path (S u d) h (S 4 ,C 4 ) h {S a ,C 3 ) for a suitable (S 4 ,C 4 ). We 
repeat the same with the new path, etc., until no further transformation is possible. Let V 
be the path constructed by this process. We wish to show that 

Wle* 3f3ed-(A) : if <7=(x e :£eJ5) then xp = A 

frequently along V . 

If not then there are two consecutive global states (S, C) and (S", C) in V and two sets 
A,A'£^ such that C = (x^-.^eE), C = (x' 6 : £e£) and 

veea-(A) : x^X 

V£ecT(A') : x' ( ? A 

First observe that we can assume, without loss of generality, that A = A'. Indeed, if the 
move from (S,C) to (S',C) is a reception on a channel (3ed~(A) then 

and if the move from (S, C) to (<S", C") is not a reception on a channel in <9~(j4) then 

V£,ed-{A) : 4 ^ A. 

Now assume A — A'. Since T' ends in a global state with empty channels, there 

+6 

is a later step | — in T', for some b e M^, /3 G Taking the first such step, say 

+b 

(Si, Ci) | — (S 2 , C 2 ), we get a contradiction with the construction of T': We have b G Mp, 
(3<Ed~(A) and from the properties of 'J it follows that +/3G£?i, — /3G-B,, i < j. Hence the 

step (Si, Ci) | — (S 2 , C 2 ) could be exchanged with the previous step in T', contrary to the 
assumption that no further transformation is applicable to V . □ 

Observe that Theorem 15.21 follows immediately from I1U.1I Indeed, with the notation 
of 15.21 there is a smooth set ^ of subsets of N such that {/?} = d + (A) for every ylg$ and 

{d-(A)\Ae^} = {{£} | i&E- {13}}. 

Fig. 10.1 shows such a set ^ for a cyclic protocol whose graph has four nodes. 

The priorities in the proof of Theorem 111). II are interpreted in the "standard" way: A 
node executes (i.e. its finite state machine makes a move) if and only if it is not blocked 
(waiting for input) and all the nodes with higher priorities are blocked. 
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Fig. 10.1. The smooth set { Ai,A 2 ,A 3 }. 

A different priority scheme arises when we apply Theorem 110. II recursively, in a divide- 
and-conquer manner. 

Example 10.2 Consider the following communication graph. 




o 

Every execution that begins and ends with empty channels can be reordered so that a, (3 
and 7 are frequently empty. However, such a reordering cannot be achieved by the standard 
priority scheme. 

Instead, we first apply Theorem I1U.1I to the set {{+7}}, to make 7 frequently empty. 
Then we restrict all subsequent reorderings to the remaining nodes of the graph; we next 
apply IT0~D to the set 'J = {{—/?,+/?}}; this makes a frequently empty. Then, in the graph 
with the two nodes —j3 and +(3, we apply fTTJTTl to \& = {{+/?}}, to make (3 frequently empty. 
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Another way of describing the new execution is to say that the nodes are ordered +7, 
—7, — (3, —a, from the highest to the lowest priority. However, the priorities now have a 
different meaning. In the standard scheme, the unblocked process with the highest priority 
executes. In the present scheme, that unblocked process executes on which the process with 
the highest priority is (directly or indirectly) blocked. In our example, the priorities are as 
follows: 




If 2 is blocked on 4 and both 4 and 3 are unblocked, then 4 (not 3) executes; in the standard 
scheme, 3 would execute. 
(End of Example HO ) 

Clearly the priority schemes, as well as any other abstract flow control methods, improve 
the efficiency of the exhaustive reachability analysis by reducing the number of global states 
that the analysis must enumerate. It is difficult to make any quantitative claims about the 
efficiency gains because, as Brand and Zafiropulo |Bra| note when they evaluate two analysis 
methods, "in both approaches a protocol can be analyzed successfully only if its behavior 
is far from the worst case, as is true for protocols designed in practice." However, in the 
context of the theory developed in this paper we can prove qualitative claims about the 
existence of algorithms (rather than their cost). 

We have already seen (in section |SJ how a priority scheme can be used to construct an 
algorithm to solve the deadlock problem for the cyclic protocols with the rational channel 
property. In the remainder of this section we shall see, on two examples, that the same can 
be done for some other communication graphs. 

Theorem 10.3 The problem "Is a given composite state stable?" is algorithmically decid- 
able for the CFSM protocols with the rational channel property and the communication graph 

a 

Theorem 10.4 The problem "Is a given composite state stable?" is algorithmically decid- 
able for the CFSM protocols with the rational channel property and the communication graph 
in Fig. 10.2(a). 
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The same result can be proved for the graphs in Fig. 10.2(b), (c), (d) and other similar 

ones. On the other hand, it is not known (to the author) whether the stable composite state 

problem is decidable for the CFSM protocols with the rational channel property and the 

communication graphs in Fig. 10.3(a) and (b). 

In the forthcoming proofs, we say that a family of relations R(S'), 56 X Kj, is consistent 

jeN 

relative to a restriction if this condition holds: if (S,C) | — (S",C), C € R(S'), and both 
(S, C) and (S',C) satisfy the restriction, then C'gR(S"). 

Proof of 110.31 If a composite state is stable then its stability is verified by the 
exhaustive reachability analysis. Thus it suffices to construct a semialgorithm that verifies 
non-stability and terminates whenever the composite state is not stable. We show that there 
is an algorithmically verifiable proof of non-stability for every non-stable composite state; 
the semialgorithm then simply generates proof candidates until it finds a correct one. 

Choosing ^ = {{1}} in Thcorem llO.il we can restrict our attention to the paths along 
which frequently a or (3 is empty. Thus for every non-stable composite state S' there 

is a proof of non-stability of S', in the form of a family of relations R(S), S £ X^j, 

jeN 

that are consistent relative to the restriction a \x a \ < 1 or \xp\ < 1" and such that C° £ 
R(S I °) and C° g' R(S'). The consistency is algorithmically verifiable when the relations are 
recognizable; hence the result follows from this lemma: 

Lemma 10.5 If R C M* x M% is a rational relation then the relation 

R' = { (lai^)€R | |^a| < 1 Or \xp\ < 1 } 

lis recognizable. 

Proof of 110.51 For every x£M* the relation 

R^(x) = { (i ,i(3)eR x a = x } 
is recognizable; similarly, for every y £ M% the relation 

RQ (y) = { (2^,^/3) eR I x p = y } 

is recognizable. Since the relation R' is equal to 

R' 3 (A) U R a (A) U |J K (x a ) U (J R a (xf}) , 

it is recognizable. 

This completes the proofs of 110. 51 and ll0.3l □ 
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In the forthcoming proof of ll(J.4l we split the graph in Fig. 10.2(a) into the two graphs in 
Fig. 10.4. For the given CFSM protocol P (with the communication graph in Fig. 10.2(a)) 
and for an arbitrary deterministic (complete) finite automaton F over the alphabet Af 7 , we 
define two protocols P'(-F) and P"(F) as follows: The protocol P'(F) has the communica- 
tion graph of Fig. 10.4(a), the finite state machines at the nodes 0' and 1' are the same as 
those at and 1 in P and the machine at 2' is F (with every label in its transition diagram 
prefixed by +). The communication graph of P"(F) is as in Fig. 10.4(b), the finite state 
machine at 0" is F (with every label prefixed by — ) and the machines at 1" and 2" are the 
same as those at 2 and 3 in P. 

Lemma 10.6 Let J 3 be a CFSM protocol with the communication graph in Fig. 10.2(a), 
and let {pq,Pi,P2,P3) be a composite state of P. Assume that there exist a deterministic 
finite automaton (over M 7 ) and a set U of its states such that 

(a) if p is a state of F , p ^ U , then (po,Pi,p) is not stable for P'(F); and 

(b) ifpGU then (p,P2,P3) is not stable for P"(F). 
Then (j>o,pi,P2,P3) is not stable (forP). 

Proof of lTUlfl Suppose that S' = (p ,Pi,P2,P 3 ) is stable, i.e. {S°,C°) \-* (S',C°). 
We use higher priority for the nodes and 1 to get two paths F and Tx and a channel 
content C = : £ £ E) such that 

(1) = A for £ 7^ 7 (where 7 is the edge from 1 to 2 in Fig. 10.2(a)); 

(2) T leads from (S*°,C°) to ((po,p 1 ,h2,h 3 ),C / ); 

(3) Ti leads from ((p Q ,pi, h 2 , h 3 ), C) to (S",C°); and 

(4) the images Im 2 (r ), Im 3 (r ), Im (Fi), Imi(Fi) are all trivial paths. 

Let F be any deterministic finite automaton over M 1 , and U a set of its states. Let p be 
the state of F to which F moves from its initial state by reading x 1 . The composite state 
(Po>Pi>P) is stable for P'(F), and (p,P2,Pz) is stable for P"(F). Thus (a) and (b) in 110.61 
cannot be both true. □ 

The crucial step in the proof of 110.41 is the following lemma, which (together with I10.5|> 
shows that for every non-stable composite state of P there is an algorithmically verifiable 
proof of its non-stability. 

Lemma 10.7 Let P be a CFSM protocol with the rational channel property and the com- 
munication graph in Fig. 10.2(a). If a composite state (P01P11P21P3) °fP is not stable then 
there exist a deterministic finite automaton F and a set U of its states such that 
(a) there is a family of recognizable relations PJ(S') indexed by the composite states S' of 
the protocol P' (F) , consistent relative to the restriction "\x a i \ < 1 and \xy\ < 1", such that 
C°£'R'(S () ) and C° ^ R' (po , Pi , p) ) for every state p of F not in U; 
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(b ) there is a family of recognizable relations R"(5") indexed by the composite states S" of 
the protocol P (F), consistent relative to the restriction " \x a >>\ < 1 and |x 7 "| < 1", such 
that C*°eR"(5°) and C° £ R"(p,p 2 ,p 3 )) for every statepeU. 

Proof of 110.71 Let Q be the set <5 7 ((po,Pi, ^-2, h 3 )) of Theorem 18. 31 that is, 



Q = { x^eM* I (S°,C°) h* ({p ,Pi,h 2 ,h 3 ),(x i :^eE)) and x 6 = A for £ 7 }. 



Since P has the rational channel property, Q is regular. There is a deterministic finite 
automaton F to recognize Q; let U be the set of accepting states of F. To define the relations 
R'((qo, qi,p)) and R"((p, (72, 93)), we use the relations L(S') of Definition 18. 21 Denote h' the 
initial state of F. 



R'((<7o,<7i,.p)) = 

I 3(x a ,Xp,x J ,x s ,x e )€'L((q ,q-i,h2,h 3 )) 3yeM* : 
x a ' — x a , x pi — xp , x§ x £ A , \x a ' |^1, \xj' I ^ 1 , 
h' p in F and yx^ = x 7 } 

for every composite state (<?o,<7i,.p) of P'(F). If (p, 52,93) is a composite state of P"(F) 
such that a state in U can be reached from p in i* 1 then define 



Since P has the rational channel property, L(5) arc rational, and therefore R'(5') and 
R"(5"') are recognizable. 

The consistency of R'(S") and R"(5") follows from the consistency of L(S') and from 
the definition of F and U. It also follows from the definition of F and U that if C° <E 
R-'{(Po>PiiP)) then pEU, and that if C° G R"((p,p 2 ,P3)) then p ^ [/. This completes the 
proof of lHJTI □ 

Proof of 110.41 As in the proof of 110.31 it suffices to show that for every non-stable 
composite state there is an algorithmically verifiable proof of its non-stability. By 110.71 
and ll0.6l there is such a proof, consisting of F, U, the family R'(S") and the family R"(S"'). 



Define 



R"((P, «&,«&)) = 

{ {Xa" t X ft" , Xy" ) 




and if no state in U can be reached from p, define 



92,93)) ={ {x a »,xp»,Xy>) I |x Q »|<land \x 7 »\ < 1 } . 



GO 



Indeed, if p is a state of F not in U then the family R'(S") is a proof that {po,Pi,p) is 
not stable for 'P'(F) (by the priority argument applied to the graph in Fig. 10.4(a), every 
stable composite state is reachable by a path along which frequently a' and 7' are empty) . 
Similarly, the priority argument applied to the graph in Fig. 10.4(b) shows that the family 
R"(5") is a proof that (p,P2,P3) is not stable for P"(F) whenever p^U. □ 



11 Recapitulation and conclusions 

The theory of communicating finite state machines, or, more precisely, of finite state ma- 
chines connected by unbounded queues, is emerging as a valuable tool for the specification 
and correctness analysis of communication protocols operating over channels with indefinite 
delays. Although the CFSM model is very simple, it is rich enough to encompass certain 
basic protocol properties, which are expressed as reachability properties in the global state 
space. 

The reachability properties cannot be automatically verified in the class of all CFSM 
protocols; in other words, the reachability problems are (algorithmically) undecidable. How- 
ever, since the usefulness of the model is greatly enhanced by its amenability to automated 
analysis, it is well worthwhile to look for classes of CFSM protocols in which the problems 
are decidable. Traditionally, the emphasis has been on the class of the protocols with the 
bounded channel property. 

The present paper advances our understanding of the question "What makes the reach- 
ability problems in the CFSM theory undecidable?" The paper contributes three new con- 
cepts to the theory: Affinity of SR-machines, simple-channel properties, and abstract flow 
control. 

The results about affine SR-machines point out close ties between the traditional au- 
tomata theory and the theory of CFSM protocols. It is also shown (in section |SJ that, 
although many interesting properties of communicating SR-machines are undecidable, some 
become decidable under additional restrictions (affinity in this case). 

Similarly, the results about simple-channel (recognizable channel and rational channel) 
properties demonstrate how some protocols with unbounded channels can be automatically 
analyzed, although the problems are undecidable for general protocols. The simple-channel 
restrictions formally express the observation that common protocols do not make use of the 
full generality of the CFSM model. "Protocols with unbounded channels usually use them 
in a simple manner, which makes them worth considering" ([BraJ, p. 10). The results in this 
paper suggest a new formalism for protocol description (CFSM augmented with channel 
expressions) together with algorithms for automated analysis of the protocols so described. 

It should be pointed out that a proof of, say, deadlock- freedom in the form of a table of 
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recognizable relations can be potentially advantageous even for a protocol with the bounded 
channel property. Indeed, it can happen that the reachable global states are separated from 
the deadlocked ones by a consistent family of recognizable relations that are described by 
short expressions, while at the same time the complete list of all reachable global states is 
very large. 

The theory of "recognizable proofs" (i.e. proofs based on recognizable relations) is all 
ready for use; the theory of "rational proofs", on the other hand, is not well understood. 
The key open question is whether reachability problems are algorithmically decidable for 
protocols with the rational channel property The problem is answered in the affirmative 
for cyclic protocols in section |SJ and for several other simple communication graphs in 
section ITU1 

The aim of the abstract flow control, as defined and studied in this paper, is to limit 
the redundancy in the global state space, thereby improving the efficiency of the algorithms 
that decide the reachability properties. Abstract flow control methods should exploit the 
topology of the communication graph, as do the two priority schemes proposed in section lTUl 

In section ITU1 it is shown how the priority schemes lead to qualitative gains: They allow 
us to construct algorithms for solving reachability problems for the rational-channel CFSM 
protocols with some communication graphs. Abstract flow control methods yield quanti- 
tative gains as well, but these are difficult to estimate in any meaningful way for general 
protocols. Perhaps a fruitful approach would be to study algorithms for finding optimal ab- 
stract flow control methods, or, for the sake of concreteness, optimal priority assignments. 
For example, one can formulate the optimization problem of finding (for an arbitrary com- 
munication graph) the priority assignment that minimizes a cost function, which measures 
the number of "needlessly reachable" global states. But that, as Kipling say, is another 
story. 
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A Appendix: Post's tag systems 



The tag systems are first mentioned by Post |Pos| as a source of possibly undecidable 
problems. The undecidability is actually proved by Minsky ( |Mil| . |Mi2| ). 

A tag system is a 3-tuple T = (E,g,w;o) where E is a finite alphabet, g is a function 
from E to E* and w eE*. Define 

\g\- = win{\g(b)\ | 6eE } , 
\g\+ = max { |. 9 (6)| | 6eE } . 

For every positive integer (deletion number), the tag system defines a function from E* to 
E*; in what follows we only consider the function corresponding to the deletion number 2. 
The function, denoted /t, is defined by 

(a) if \w\ < 1 then /t(w) = A; and 

(b) if w = bobi ...b n ,n>l, then f T (w) = b 2 . . . b n g(b ). 

The sequence of T, denoted {s n (T)}^L , is defined by sq(T) = Wo, and s n +i(T) = 
/t(s„(T)), n > 0. 

Theorem A.l There is no algorithm to decide, for every tag system T = (E,g,wo) with 
\g\~ = 1 and \g\ + = 3, whether s n (T) = A for some n. 

Proof: See Theorem 5 in Wan . 

Theorem A. 2 There is no algorithm to decide, for every tag system T = (E,g,u>o) with 
\g\~ = 1 and \g\ + = 3, whether |s n (T)| < c for some constant c and every n. 

Proof. If there were such an algorithm, we could construct an algorithm to decide 
the problem s n (T) = A of Theorem IA.1I as follows: For a given T, first decide whether 
s n(T) < c for some c and all n. If this is not the case then s n (T) ^ A for all n. If, on the 
other hand, the sequence of T is bounded then generate the successive strings s„(T) until 
s mo (T) = s mi (T) for some mo and mi, mo ^ mi; now if s mo (T) = A then the problem is 
decided, and if s mo (T) ^ A then s n (T) ^ A for all n. □ 

Theorem A. 3 There is no algorithm to decide, for every tag system T = (E, g, wo) such 
that \g\~ = 1, \g\ + = 3 and s„(T) ^ A for all n, whether |s„(T)| < c for some constant c 
and every n. 



G3 



Proof. For every tag system T = (E, g, wq) choose a symbol # ^ E and define 



9(b) 
</(#) 



w. 







for 6eE, 



Then the tag system T' = (E',5', w' ) is bounded (i.e. s„(T')| < c for some c and all n) 
if and only if T is. Moreover, s„(T') 7^ A for all n, because every s„(T') contains the 
subsequence 

Thus if we had an algorithm to decide the boundedness for every T' = (S', 5', w' ) such 
that \g\~ = 1, |g|+ = 3 and s n (T') 7^ A for all n, then we would also have an algorithm to 
decide boundedness for every T = (E,5, Wq) such that \g\~ = 1 and \g\ + = 3, in contradic- 
tion to El □ 



G4 



References 

[Ber] J. Berstel: Transductions and context-free languages, B. G. Teubner Stuttgart (1979). 

[Bir] M. Bird: The equivalence problem for deterministic two-tape automata, J. Comput. 
System Sci. 7 (1973) 218-236. 

[Bol] G. V. Bochmann and C. Sunshine: Formal methods in communication protocol design, 
I.E.E.E. Trans. Comm. COM-28 (1980), 624-631. 

[Bo2] G. V. Bochmann: A general transition model for protocols and communication ser- 
vices, I.E.E.E. Trans. Comm. COM-28 (1980), 643-650. 

[Bra] D. Brand and P. Zafiropulo: On communicating finite state machines, IBM RZ 1053 
(1981). 

[Eil] S. Eilenberg: Automata, languages and machines, Vol. A, Academic Press (1974). 

[Gou] M. G. Gouda: Protocol machines - towards a logical theory of communication pro- 
tocols, Univ. of Waterloo Ph. D. thesis (1977). 

[Hop] J. E. Hopcroft and J. D. Ullman: Introduction to automata theory, languages and 
computation, Addison- Wesley (1979). 

[Kan] R. Kannan and R. J. Lipton: The orbit problem is decidable, Proc. 12th Annual 
ACM Symp. on Theory of Computing (1980), 252-261. 

[Luc] C. L. Lucchesi and D. H. Younger: A minimax theorem for directed graphs, J. London 
Math. Soc. (2) 17 (1978), 369-374. 

[Man] Z. Manna and R. Waldinger: The logic of computer programming, IEEE Trans, on 
Software Engineering, SE-4 (1978), 199-229. 

[May] E. Mayr: An algorithm for the general Petri net reachability problem, Proc. 13th 
Annual ACM Symp. on Theory of Computing (1981), 238-246. 

[Mil] M. Minsky: Recursive unsolvability of Post's problem of "tag" and other topics in 
theory of Turing machines, Ann. Math. 74 (1961), 437-455. 

[Mi2] M. Minsky: Computation - finite and infinite machines, Prentice-Hall (1967). 

[Pos] E. Post: Formal reduction of the combinatorial decision problems, Amer. J. Math. 65 
(1943), 196-215. 

[Rub] J. Rubin and C. H. West: An improved protocol validation technique, IBM RZ 1024 
(1980). 



65 



[Wan] H. Wang: Tag systems and lag systems, Math. Annalen 152 (1963), 65-74. 

[Zaf] P. Zafiropulo, C. H. West, H. Rudin, D. D. Cowan and D. Brand: Towards analyzing 
and synthesizing protocols, I.E.E.E. Trans. Comm. COM-28 (1980), 651-661. 



66 



